CODEWITHSUNDEEP
androidandroid-sourceselinuxcyanogenmod
Olivier
Olivier

Reputation: 118

How can I run a script at boot under LineageOS 13, and not be blocked by SELinux?

I'm trying to run sshd on LineageOS 13 at boot time. The setup is roughly speaking as was described for CyanogenMod in https://web.archive.org/web/20161224194019/https://wiki.cyanogenmod.org/w/Doc:_sshd . After following the suggested configurations steps, I can start sshd interactively under a root adb like so:

root@espressowifi:/ # /data/local/userinit.d/99sshd
Could not load host key: /data/ssh/ssh_host_dsa_key

It complains about the key, but starts anyway, and clients can connect, so far so good.

I now want to start sshd at boot time. It looks like this gets blocked by SELinux:

root@espressowifi:/ # logcat | grep 99sshd
01-25 17:44:28.492   199   199 W logwrapper: type=1400 audit(0.0:5): avc: denied { execute } for name="99sshd" dev=mmcblk0p10 ino=1830 scontext=u:r:sysinit:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
01-25 17:44:28.499   196   196 I 99sshd  : executing /data/local/userinit.d/99sshd failed: Permission denied
01-25 17:44:28.499   199   199 E logwrapper: executing /data/local/userinit.d/99sshd failed: Permission denied
01-25 17:44:28.506   196   196 I 99sshd  : 99sshd terminated by exit(255)

I tried to chcon the 99sshd file, to no avail, and in fact the context ends up being restored after booting. That restored file context seems to be taken from /file_contexts, which you can edit after a

root@espressowifi:/ # mount -o rw,remount -t rootfs /

But that file also gets restored to some original version. setenforce 0 doesn't survive booting.

Other people seem to have had similar issues, but the lineageos jira tags the issue as a feature: https://jira.lineageos.org/browse/BUGBASH-118

Is there a way to run custom boot scripts under Lineage OS 13?

Upvotes: 0

Views: 1459

Answers (1)

Mixaz
Mixaz

Reputation: 4178

recently I did something like that, to add VNC server to LOS 14.1 ROM. In theory you need to do following:

1) create a service for your sshd daemon, it will be an .rc file your'll place to /etc/init/ folder

2) start that service from a boot init script .sh file

3) add sshd to sepolicy/file_contexts

4) change SE policy for the boot init script, to exec your binary (sshd)

5) add SE policy for your binary, to access linux resources

You can see what files I modified for Xiaomi Note 4 (mido) to put VNC there: https://github.com/mixaz/android_device_xiaomi_mido/commit/25d62bd131d6ed51999d8a19f70fd427758a0bac

Important note - SE policy rules there were generated from logcat output, by a tool, I do no remember now what I used, you probably can google. It is not recommended, but my rom is an experimental one, so I didn't care. I didn't research much in this area.

Upvotes: 0

Related Questions