Init warning: myservice needs an SELinux domain. Please fix
I want to unload the executable on boot On the target board with Android 5.1 , so I add this to init.rc:
on boot
start myservice
service myservice /system/bin/myservice
#class main
user root
group root
#oneshot
I did unboxing and repackaging. However, when you make changes, the screen keeps printing:
init warning: Service myservice needs a SELinux domain defined. Please fix.
type=1400 ... avc:denied ... scontext ... tcontext ... #some annoying warning messages like this
SELinux seems like a huge project to me. I just want to avoid it. I tried two approaches:
1. setenv kernelargs 'console=ttyS0,115200n8 rootdelay=1 selinux=0' and saveenv
2. set enforce 0
For method 1 printenv
gives the result:
kernelargs=console=ttyS0,115200n8 rootdelay=1 selinux=0
So, you see, the changes have been made. But warning messages keep printing after reboot.
For method 2, it says:
Could not set enforce status. Permission denied.
So now I'm trapped in a dilemma with no idea where to go. My questions:
-
- Does anyone know how to disable or set permissive mode in android?
-
- What files should I change if I want to define a domain for a new service?
Also ls -Z /system/bin/myservice
gives the following:
u:object_r:system_file:s0
source to share
-
you need su to set permissive mode. Or you need source code to disable SELinux, for example disable SELinux in kernel config, or disable SELinux in BOARD_KERNEL_CMDLINE in device / vendor_name / product_name / BoardConfig.mk.
-
Once you have the source code, you can define the new domain as you like.
Please refer to Android official docs: https://source.android.com/security/selinux/device-policy
: flag new services and address rejections
source to share
You have to add the seclabel attribute to the service in your init.rc file, but I don't know if your context will work. I only implemented this myself in the context of init_exec:
$ grep yourservice system/sepolicy/file_contexts
/system/bin/vpd u:object_r:init_exec:s0
$ ls -Z path/to/system/bin/yourservice
u:object_r:init_exec:s0 path/to/system/bin/yourservice
$ grep yourservice device/brand/product/init.rc -A 5
service yourservice /system/bin/yourservice
seclabel u:r:init:s0
user root
group root
oneshot
Disabling SELinux on Android is not difficult and there are many questions addressing this issue. Just add one of the following options to your kernel command line options (e.g. bootargs in U-Boot):
androidboot.selinux=permissive
androidboot.selinux=disabled
source to share
I faced a very similar problem myself and this is what I found:
When you run ls -Z/system/bin/myservice
and get this:
u:object_r:system_file:s0
this means your file is on a domain system_file
. Now this is not very good as system files should not be executed or finally not during initialization (you can still execute it later from the terminal in the usual way).
In my case, I was lucky because I was replacing the existing system service with a customized one that I compiled from source. This means that I was able to check the security context of the original file that I was replacing and it was from ls -Z/system/bin/myservice.bak
:
u:object_r:myservice_exec:s0
So I updated my new file to the same using chcon u:object_r:myservice_exec:s0/system/bin/myservice
After that, everything worked fine.
If you want to create a new service, you may need to use a domain that already exists in your policies, as simply setting it for myservice_exec
it will not help, since in your case it will be a nonexistent domain. If I were in your shoes and wanted to avoid defining my own policy, I could try to find a service with similar security, check the domain in that, and try to set the same for my service. init_exec
might be a good candidate, but your mileage may vary ...
source to share