Hi guys, I am not able to add service properly in init.rc, could you please share any information like how to add and crate selinux policy. I am doing..... service testapp /system/bin/testapp //adding in init.rc
Created policy in /device/../sepolicy/testapp.te Working on Android 8, please let me know if you have any inputs. On Mon, Jul 15, 2019, 11:40 PM 'Dan Willemsen' via Android Building < [email protected]> wrote: > It looks like you've got some custom sepolicy that is violating neverallow > rules (https://source.android.com/security/selinux/customize#neverallow): > > neverallow check failed at > out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4265 > > * (neverallow base_typeattr_55_27_0 base_typeattr_56_27_0 (file (execute > execute_no_trans entrypoint)))* <root> > allow at > out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 > > * (allow newtestapp newtestapp_exec (file (read getattr map execute > entrypoint open)))* > neverallow check failed at > out/target/product/N1/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4754 > from *system/sepolicy/public/domain.te:668* > > * (neverallow base_typeattr_55 base_typeattr_56 (file (execute > execute_no_trans entrypoint)))* <root> > allow at > out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 > * (allow newtestapp newtestapp_exec (file (read getattr map execute > entrypoint open)))* > > You'll probably want to remove or limit the execute / entrypoint allows > for newtestapp -- see any comments around > system/sepolicy/public/domain.te:668 for more details. > > - Dan > > On Mon, Jul 15, 2019 at 9:31 AM Shilesh Babu <[email protected]> > wrote: > >> Hi Kun Li, >> I am facing same issue could you plz suggest anything???? >> >> system/core/liblog/include/log/log_main.h:240:52: note: expanded from >> macro 'ALOGE' >> #define ALOGE(...) ((void)ALOG(LOG_ERROR, LOG_TAG, __VA_ARGS__)) >> ^~~~~~~~~~~ >> system/core/liblog/include/log/log_main.h:306:67: note: expanded from >> macro 'ALOG' >> #define ALOG(priority, tag, ...) LOG_PRI(ANDROID_##priority, tag, >> __VA_ARGS__) >> >> ^~~~~~~~~~~ >> system/core/liblog/include/log/log_main.h:70:69: note: expanded from >> macro 'LOG_PRI' >> #define LOG_PRI(priority, tag, ...) android_printLog(priority, tag, >> __VA_ARGS__) >> >> ^~~~~~~~~~~ >> system/core/liblog/include/log/log_main.h:61:34: note: expanded from >> macro 'android_printLog' >> __android_log_print(prio, tag, __VA_ARGS__) >> ^~~~~~~~~~~ >> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:849:55: >> warning: unused parameter 'hComponent' [-Wunused-parameter] >> OMX_ERRORTYPE omx_test_enc_ebd(OMX_OUT OMX_HANDLETYPE hComponent, >> ^ >> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:850:59: >> warning: unused parameter 'pBuffer' [-Wunused-parameter] >> OMX_OUT OMX_PTR pAppData, OMX_OUT OMX_BUFFERHEADERTYPE* pBuffer) >> ^ >> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:895:55: >> warning: unused parameter 'hComponent' [-Wunused-parameter] >> OMX_ERRORTYPE omx_test_enc_fbd(OMX_OUT OMX_HANDLETYPE hComponent, >> ^ >> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:945:64: >> warning: unused parameter 'hComponent' [-Wunused-parameter] >> OMX_ERRORTYPE omx_test_enc_event_handler(OMX_IN OMX_HANDLETYPE hComponent, >> ^ >> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:950:18: >> warning: unused parameter 'pEventData' [-Wunused-parameter] >> OMX_IN OMX_PTR pEventData) >> ^ >> 9 warnings generated. >> [ 8% 372/4315] Copy: out/target/product/N1/obj/lib/libmmjpeg.so >> [ 8% 373/4315] build >> out/target/product/N1/obj/SHARED_LIBRARIES/libmmjpeg_intermediates/libmmjpeg.so.toc >> [ 8% 374/4315] Install: out/target/product/N1/vendor/lib/libmmjpeg.so >> [ 8% 375/4315] Copy: out/target/product/N1/obj/lib/libmmjpeg.so.toc >> [ 8% 376/4315] target Executable: mm-qomx-ienc-test >> (out/target/product/N1/obj/EXECUTABLES/mm-qomx-ienc-test_intermediates/LINKED/mm-qomx-ienc-test) >> [ 8% 377/4315] target SharedLib: libmmqjpeg_codec >> (out/target/product/N1/obj/SHARED_LIBRARIES/libmmqjpeg_codec_intermediates/LINKED/libmmqjpeg_codec.so) >> [ 8% 378/4315] target Pack Relocations: libmmqjpeg_codec >> (out/target/product/N1/obj/SHARED_LIBRARIES/libmmqjpeg_codec_intermediates/PACKED/libmmqjpeg_codec.so) >> [ 8% 379/4315] target Unpacked: mm-qomx-ienc-test >> (out/target/product/N1/obj/EXECUTABLES/mm-qomx-ienc-test_intermediates/PACKED/mm-qomx-ienc-test) >> [ 8% 380/4315] target Symbolic: libmmqjpeg_codec >> (out/target/product/N1/symbols/vendor/lib/libmmqjpeg_codec.so) >> [ 8% 381/4315] target Symbolic: mm-qomx-ienc-test >> (out/target/product/N1/symbols/system/bin/mm-qomx-ienc-test) >> [ 8% 382/4315] build >> out/target/product/N1/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy >> FAILED: >> out/target/product/N1/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy >> >> /bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 >> out/target/product/N1/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil >> out/target/product/N1/obj/ETC/27.0.cil_intermediates/27.0.cil >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil >> -o >> out/target/product/N1/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy >> -f /dev/null" >> neverallow check failed at >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4265 >> (neverallow base_typeattr_55_27_0 base_typeattr_56_27_0 (file (execute >> execute_no_trans entrypoint))) >> <root> >> allow at >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 >> (allow newtestapp newtestapp_exec (file (read getattr map execute >> entrypoint open))) >> >> neverallow check failed at >> out/target/product/N1/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4754 >> from system/sepolicy/public/domain.te:668 >> (neverallow base_typeattr_55 base_typeattr_56 (file (execute >> execute_no_trans entrypoint))) >> <root> >> allow at >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 >> (allow newtestapp newtestapp_exec (file (read getattr map execute >> entrypoint open))) >> >> Failed to generate binary >> Failed to build policydb >> >> >> >> >> >> >> On Tuesday, November 7, 2017 at 9:27:49 PM UTC+5:30, Paul Chang wrote: >>> >>> You should delete this rule from nonplat_sepolicy.cil: >>> allow domain sysfs_qemu_trace (file (ioctl read write getattr lock >>> append map open)) >>> >>> 2017-10-13 10:47 GMT+08:00 Kun Li <[email protected]>: >>> >>>> I met sepolicy error when build latest android O code >>>> with car_emu_x86_64-userdebug: >>>> ------------------ >>>> [ 82% 60943/73832] build >>>> out/target/product/.-x86_64/obj/ETC/sepolicy_intermediates/sepolicy >>>> FAILED: >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy >>>> /bin/bash -c "(out/host/linux-x86/bin/secilc -m -M true -G -c 30 >>>> out/target/product/car-x86_64/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil >>>> out/target/product/car-x86_64/obj/ETC/10000.0.cil_intermediates/10000.0.cil >>>> out/target/product/car-x86_64/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil >>>> -o >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.tmp >>>> -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.tmp >>>> permissive > >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains >>>> ) && (if [ \"userdebug\" = \"user\" -a -s >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains >>>> ]; then echo \"==========\" 1>&2; echo >>>> \"ERROR: permissive domains not allowed in user builds\" 1>&2; >>>> echo \"List of invalid domains:\" 1>&2; cat >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains >>>> 1>&2; exit 1; fi ) && (mv >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.tmp >>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy )" >>>> neverallow check failed at >>>> out/target/product/car-x86_64/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:11513 >>>> from system/sepolicy/private/isolated_app.te:113 >>>> (neverallow isolated_app base_typeattr_290 (file (ioctl read write >>>> create setattr lock relabelfrom append unlink link rename open))) >>>> <root> >>>> allow at >>>> out/target/product/car-x86_64/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6402 >>>> (allow domain sysfs_qemu_trace (file (ioctl read write getattr >>>> lock append map open))) >>>> >>>> Failed to generate binary >>>> Failed to build policydb >>>> [ 82% 60946/73832] //frameworks/compile/slang:llvm-rs-cc clang++ >>>> slang_rs_object_ref_count.cpp [linux_glibc] >>>> ninja: build stopped: subcommand failed. >>>> 19:10:30 ninja failed with: exit status 1 >>>> >>>> >>>> No idea on this error , anyone met this before ? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> -- >>>> You received this message because you are subscribed to the "Android >>>> Building" mailing list. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> [email protected] >>>> For more options, visit this group at >>>> http://groups.google.com/group/android-building?hl=en >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Building" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> -- >> You received this message because you are subscribed to the "Android >> Building" mailing list. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/android-building?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "Android Building" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/android-building/a513a2c9-2137-4f7e-bc7b-daad78e1529f%40googlegroups.com >> <https://groups.google.com/d/msgid/android-building/a513a2c9-2137-4f7e-bc7b-daad78e1529f%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > -- > You received this message because you are subscribed to the "Android > Building" mailing list. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/android-building?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "Android Building" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/android-building/CALQgHdkvBTr6eK%2Bq8hudt3DN%3DY0o4h%2BU695EUCk2Q_LFyvnhDw%40mail.gmail.com > <https://groups.google.com/d/msgid/android-building/CALQgHdkvBTr6eK%2Bq8hudt3DN%3DY0o4h%2BU695EUCk2Q_LFyvnhDw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- -- You received this message because you are subscribed to the "Android Building" mailing list. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-building?hl=en --- You received this message because you are subscribed to the Google Groups "Android Building" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/android-building/CAFP7zaBfNQDBQ8%3D6Sv0Psr0DDA2BZgvs2k%3DE_SK5x-sZB4RUZA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
