新创建的服务的 AndroidP-SELinux 权限被拒绝

Question

when i add a new service, and find the error as follow:

SELinux : avc:  denied  { add } for service=xxxManagerService pid=3798 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

then i add allow in system_server.te :

allow system_server default_android_service:service_manager { add };

but build error happened:

libsepol.report_failure: neverallow on line 517 of system/sepolicy/public/domain.te (or line 10355 of policy.conf) violated by allow system_server default_android_service:service_manager { add };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/sti6030d111/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 11% 22/200] target thumb C++: libpqcontrol <= vendor/amlogic/common/frameworks/services/systemcontrol/PQ/SSMAction.cpp

what should i do to make it, and pass cts.

Answer 1

Android comes with a long list of neverallow rules that make sure you don't give permissions which break the security of your device. Fortunately, these neverallow rules are well documented in the code. If you look up line 517 in system/sepolicy/public/domain.te you'll find this:

Do not allow service_manager add for default service labels. Instead domains should use a more specific type such as system_app_service rather than the generic type. New service_types are defined in {,hw,vnd}service.te and new mappings from service name to service_type are defined in {,hw,vnd}service_contexts.

You probably used the audit2allow to create the rule. This seems to be an easy solution at first, but it will almost always result in rule set that is hard to read. In the end there is no other way than understanding the basics of SELinux in Android.

See here for more information.

I cannot give you an example of what to do now as the things you need to do depend on the type of service you want to add.