Lee C.
Reputation: 31
How to run a service in init (Android 8.1)
I want to run the service through Init. (Android 8.1, sepolicy=permissive)
The service executes the script file, and the script file is as follows.
tcc898x:/ # cat /system/bin/tcc_dxb_service
#!/system/bin/sh
echo ----------------
echo RICHGOLD.
echo ----------------
Service execution in init proceeds as follows.
tcc898x:/ # cat init.tcc898x.rc
(...)
on boot
(...)
start tcc_dxb_service
(...)
service tcc_dxb_service /system/bin/tcc_dxb_service
class main
user root
u:object_r:tcc_dxb_service_exec:s0
And to add domain, sepolicy file is added as below.
# cat (Android 8.1 SDK)/device/(vendor)/(product)/sepolicy/tcc_dxb_service.te
type tcc_dxb_service, domain;
type tcc_dxb_service_exec, exec_type, system_file_type, file_type;
init_daemon_domain(tcc_dxb_service)
When the tcc_dxb_service service is executed, the following output is displayed.
tcc898x:/ # start tcc_dxb_service
init: could not get context while starting 'tcc_dxb_service'
Please tell me how to register the domain in Sepolicy to run the service.
Thanks.
Upvotes: 3
Views: 4054
Answers (2)
Lee C.
Reputation: 31
thanks your answer.
I referenced the Android reference site to add services to the project under development.
- Added a service, (init.{device}.rc)
service foo /system/bin/foo
class core
- Added label. ((android SDK)/device/(vendor)/(device)/sepolicy/file_contexts)
/system/bin/foo u:object_r:foo_exec:s0
- Create a new domain. ((android SDK)/device/(vendor)/(device)/sepolicy/foo.te)
# foo sercie
# Integrated foo process
type foo, domain;
type foo_exec, exec,type, file_type;
# started by init
init_daemon_domain(foo)
(/system/bin/foo)
echo "-----"
echo "RICHGOLD"
echo "-----"
I set it like this. When building, the following error occurs.
FAILED: out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy
/bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/tcc898x/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/tcc898x/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"eng\" = \"user\" -a -s out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/tcc898x/obj/ETC/sepolicy_intermediates/sepolicy )"
neverallow check failed at out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2715
(neverallow base_typeattr_56_27_0 base_typeattr_57_27_0 (file (execute execute_no_trans entrypoint)))
<root>
allow at out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6207
(allow foo foo_exec (file (read getattr map execute entrypoint open)))
neverallow check failed at out/target/product/tcc898x/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4641 from system/sepolicy/public/domain.te:668
(neverallow base_typeattr_56 base_typeattr_57 (file (execute execute_no_trans entrypoint)))
<root>
allow at out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6207
(allow foo foo_exec (file (read getattr map execute entrypoint open)))
Failed to generate binary
Failed to build policydb
[ 2% 110/5135] build out/target/product/tcc898x/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
FAILED: out/target/product/tcc898x/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
/bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/tcc898x/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/tcc898x/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/tcc898x/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null"
neverallow check failed at out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2715
(neverallow base_typeattr_56_27_0 base_typeattr_57_27_0 (file (execute execute_no_trans entrypoint)))
<root>
allow at out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6207
(allow foo foo_exec (file (read getattr map execute entrypoint open)))
neverallow check failed at out/target/product/tcc898x/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4641 from system/sepolicy/public/domain.te:668
(neverallow base_typeattr_56 base_typeattr_57 (file (execute execute_no_trans entrypoint)))
<root>
allow at out/target/product/tcc898x/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6207
(allow foo foo_exec (file (read getattr map execute entrypoint open)))
Failed to generate binary
Failed to build policydb
ninja: build stopped: subcommand failed.
17:24:01 ninja failed with: exit status 1
#### failed to build some targets (43 seconds) ####
If init_daemon_domain (foo) is removed when a domain is created, ((android SDK)/device/(vendor)/(device)/sepolicy/foo.te)
# foo sercie
# Integrated foo process
type foo, domain;
type foo_exec, exec,type, file_type;
# started by init
# init_daemon_domain(foo)
the log below is displayed after a normal build. When the service is executed,
# start foo
init: service foo does not have a SELinux domain defined
How do I add a domain? Please give me tips on neverallow.
Thanks.
Upvotes: 0
Simpl
Reputation: 2036
You have to
- prepend
seclabelto the seclabel of your service definition, - change
object_rtor, and - use the
tcc_dxb_servicetype instead oftcc_dxb_service_exec.
service tcc_dxb_service /system/bin/tcc_dxb_service
class main
user root
seclabel u:r:tcc_dxb_service:s0
Upvotes: 2
Related Questions
- SELinux policy definition for Android system service: how to setup?
- AndroidP-SELinux Permission Denied for a new created service
- Android init service error invalid keyword 'u:object_r:system_file:s0
- android8.1: How to register vendor service to ServiceManager
- init warning: Service myservice needs a SELinux domain defined. Please fix
- How to create a service in /init.rc?
- Selinux Denies Starting Service on Android 8
- Unable to execute daemon on boot within init.rc
- why i can't start my service when the android startup ? ( code attached )
- How to start service at boot on android 4.0.3