4

I'm trying to build an AOSP 9 with a new daemon, but the SELinux isn't allowing me. My sierra_config_ip.te has this beginning of document:

type sierra_config_ip, domain;
permissive sierra_config_ip;
type sierra_config_ip_exec, exec_type, file_type;

init_daemon_domain(sierra_config_ip)

My file_contexts is:

/(vendor|system/vendor)/bin/init.config.ip      u:object_r:sierra_config_ip_exec:s0

My init.rc is:

service sierra_config_ip /vendor/bin/init.config.ip
    class main
    user root
    group radio cache inet misc dhcp
    capabilities BLOCK_SUSPEND NET_ADMIN NET_RAW
    disabled
    oneshot

But I always get the following error:

[  0% 3/56037] build out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c      30 -o out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd sierra_dhcpcd_exec:file { execute entrypoint };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip sierra_config_ip_exec:file { execute entrypoint };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip toolbox_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip dhcp_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip shell_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd toolbox_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_config_ip net_data_file:dir { search };
libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_dhcpcd net_data_file:dir { search };
libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip net_data_file:file { open };
libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip dhcp_data_file:file { create setattr lock map unlink rename open };
libsepol.check_assertions: 10 neverallow failures occurred
Error while expanding policy

I don't know why is not working, I followed the steps described in other topics here, like this one. Can someone help me with this?

Besides that, I tried to disable SELinux to finally be able to build Android. To do this, i put it 

enforcing=0 androidboot.selinux=disabled

in BOARD_KERNEL_CMDLINE in BoardConfig.mk but the policys are builded before and the error occurs again!

I also tried putting -sierra_config_ip in domain.te:

full_treble_only(`
    # Do not allow vendor components to execute files from system
    # except for the ones whitelist here.
    neverallow {
        domain
        -coredomain
        -appdomain
        -vendor_executes_system_violators
        -vendor_init
        -evs_domain
        -sierra_config_ip
    } {
        exec_type
        -vendor_file_type
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
')

But I get the following error:

system/sepolicy/public/domain.te:1005:ERROR 'unknown type sierra_config_ip' at token ';' on line 11251:
#line 1005
    }:file { entrypoint execute execute_no_trans };
Zoe
  • 27,060
  • 21
  • 118
  • 148
natmendes
  • 51
  • 1
  • 4

1 Answers1

0

You needs to add the following "BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive" in device/fsl/XXX/XXX/BoardConfig.mk

Fuller example:

# Kernel
BOARD_KERNEL_BASE := 0x80000000
BOARD_KERNEL_CMDLINE := console=null androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3
BOARD_KERNEL_CMDLINE += lpm_levels.sleep_disabled=1 androidboot.bootdevice=7824900.sdhci loop.max_part=7
BOARD_KERNEL_CMDLINE += firmware_class.path=/vendor/firmware_mnt/image 
BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
BOARD_KERNEL_IMAGE_NAME := Image.gz-dtb
BOARD_KERNEL_OFFSET = 0x00008000
BOARD_KERNEL_PAGESIZE := 2048
BOARD_KERNEL_TAGS_OFFSET := 0x00000100
BOARD_RAMDISK_OFFSET := 0x01000000
TARGET_KERNEL_ARCH := arm64
TARGET_KERNEL_SOURCE := kernel/lenovo/msm8953

Complete source here: https://github.com/darran-kelinske-fivestars/android_device_lenovo_tb-common/blob/ade087a14b713c163f0a92e156e9e8f82a447d22/BoardConfigCommon.mk#L150

dazza5000
  • 7,075
  • 9
  • 44
  • 89
VKS
  • 19
  • 4