Selinux: How to get another system service inside a system service

Question

I have a system service KioskService. Inside this system service I call another system service DpcService like that:

public class KioskService extends IKioskService.Stub{

    private Context mContext;
    private IDpcService dpcService;

    public KioskService(Context context) {
        mContext = context;
    }

    @Override
    public void exitKiosk()  {
        try{
            String[] emptyArray = {""};
            dpcService = IDpcService.Stub.asInterface(getBinder("dpc"));
            dpcService.setLockTaskPackages(emptyArray);
        }
        catch(Exception e){
            Log.e("TAG","Exit Kiosk Exception",e);
        }
    }

    private IBinder getBinder(String serviceName) {
        IBinder serviceBinder;
        serviceBinder = ServiceManager.getService(serviceName);

        if (serviceBinder == null) {
            return null;
        }

        return serviceBinder;
    }
}

However I get this error:

05-06 06:40:00.088 604 604 E SELinux : avc: denied { find } for service=msi_dpc pid=5375 uid=1000 scontext=u:r:kiosk_app:s0 tcontext=u:object_r:dpc_service:s0 tclass=service_manager permissive=0

I guess, the reason is because, using Selinux policy, I have to allow my kiosk service to use my dpc service. If it is the case how do I do it?

Answer 1

Yes, you are right. You are trying to find other Service by ServiceManager.getService method call. So your system produced access denials for this search operation. There can be variety of solutions. For my advice you have to have audit2allow library.(You can easily google and download) But most simple one : First pull current system policy file;

adb pull /sys/fs/selinux/policy SEPOLICY_FILE

then execute this command with that SEPOLICY file;

cat /logs/logfile.log | audit2allow -p SEPOLICY_FILE

it gives you some recommendations. Log file indicates your complete access denial messages.

I hope it works for you.