Hi,
I'm trying to add the seLinux policies for a new native binder service
named mcu_service, but it keeps reporting the error message:
10-24 04:14:45.285 513 513 E SELinux : avc: denied { add } for
service=McuService pid=1252 uid=0 scontext=u:r:mcu_service:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1
And if the seLinux is set as enforced mode, it's getting worse to lunch
this service reporting like "add_service uid=1000 - PERMISSION DENIED".
Here are the settings I added for the service (in the target seLinux files
device/xx/sepolicy):
service.te:
type mcu_service_service, service_manager_type;
service_contexts:
mcu.service u:object_r:mcu_service_service:s0
mcu_service.te:
type mcu_service, domain;
type mcu_service_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mcu_service)
......
binder_service(mcu_service)
add_service(mcu_service, mcu_service_service)
......
I tried to add the rule "allow mcu_service
default_android_service:service_manager add;", but it failed to pass the
build because of the never_allow rules on default_android_service.
Could anyone give me the hand on such issue?
Thanks,
Xiaofeng
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
