Hi Nick,
Yes, the McuService is the service name we used in the code, and in
previous change, it's was defined as "McuService" too in service_contexts
file, still saw same issue. To confirm this, I just did the update to set
it back to McuService, and made a build, the logs are same as before, here
is the change:
diff --git a/common/service_contexts b/common/service_contexts
index 066cea8..abe76d4 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -4,6 +4,6 @@
# Faradayfuture Confidential Restricted.
#
-mcu.service u:object_r:mcu_service_service:s0
+McuService u:object_r:mcu_service_service:s0
DiagService u:object_r:diagnositc_server_service:s0
DiagEngine u:object_r:diag_engine_service:s0
Thanks,
Xiaofeng
On Monday, November 5, 2018 at 10:36:23 AM UTC-8, nnk wrote:
>
>
>
> On Mon, Nov 5, 2018 at 10:34 AM Xiaofeng Lei <xiaofe...@ff.com
> <javascript:>> wrote:
>
>> Hi,
>>
>> I'm trying to add the seLinux policies for a new native binder service
>> named mcu_service, but it keeps reporting the error message:
>>
>> 10-24 04:14:45.285 513 513 E SELinux : avc: denied { add } for
>> service=McuService pid=1252 uid=0 scontext=u:r:mcu_service:s0
>> tcontext=u:object_r:default_android_service:s0 tclass=service_manager
>> permissive=1
>>
>
> The string you are trying to register is "McuService"
>
>
>>
>> And if the seLinux is set as enforced mode, it's getting worse to lunch
>> this service reporting like "add_service uid=1000 - PERMISSION DENIED".
>>
>> Here are the settings I added for the service (in the target seLinux
>> files device/xx/sepolicy):
>>
>> service.te:
>>
>> type mcu_service_service, service_manager_type;
>>
>> service_contexts:
>>
>> mcu.service u:object_r:mcu_service_service:s0
>>
>
> But in SELinux policy you are calling it "mcu.service"
>
>
>>
>> mcu_service.te:
>>
>> type mcu_service, domain;
>> type mcu_service_exec, exec_type, vendor_file_type, file_type;
>> init_daemon_domain(mcu_service)
>> ......
>> binder_service(mcu_service)
>> add_service(mcu_service, mcu_service_service)
>> ......
>>
>> I tried to add the rule "allow mcu_service
>> default_android_service:service_manager add;", but it failed to pass the
>> build because of the never_allow rules on default_android_service.
>>
>> Could anyone give me the hand on such issue?
>>
>> Thanks,
>> Xiaofeng
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Android Security Discussions" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to android-security-discuss+unsubscr...@googlegroups.com
>> <javascript:>.
>> Visit this group at
>> https://groups.google.com/group/android-security-discuss.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Nick Kralevich | n...@google.com <javascript:>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
