Sample Header Ad - 728x90

How to add SELinux policy on a user-debug ROM that has `split` policy scheme?

1 vote
2 answers
2304 views
root-access selinux init.d
I have a Sony device that supports treble and is a system-as-root and A/B device. It has a user-debug ROM installed on it so, its adb shell is rooted. I have disabled dm-verity using adb disable-verity after running adb root and adb remount commands. As documented here , this device also has split policies at /system/etc/selinux(the 'plat' portion of the policy) and /vendor/etc/selinux(the 'nonplat' portion of the policy). I am trying to run test.sh using following init script: 
#/etc/init/m_daemon.rc

# define service, use executable here if script not needed
service m_daemon /system/xbin/test.sh

    # don't start unless explicitly asked to
    disabled

    # Use seclabel u:r:magisk:s0 to run with unrestricted SELinux context to avoid avc denials
    # can also use "u:r:su:s0" on userdebug / eng builds if no Magisk.
    # It's required if SELinux is enforcing and service needs access
    # to some system resources not allowed by default sepolicy
    # seclabel u:object_r:qlogd_exec:s0
    seclabel u:r:su:s0

# start the service when the boot is completed
on property:sys.boot_completed=1
    # Use it to start the service
    start m_daemon
/system/xbin/test.sh file has the following contents: 
#!/system/bin/sh
echo date > /sdcard/test
When the device reboot then it fails to run with the following error: > 202.932913 / 11-26 20:21:04.074 audit: type=1400 audit(1574763664.074:213): avc: denied { transition } for pid=8534 comm="init" path="/system/xbin/test.sh" dev="sda24" ino=8150 scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process permissive=0 > > 202.933268 / 11-26 20:21:04.074 init: cannot execve('/system/xbin/test.sh'): Permission denied To fix it, I have used sepolicy-inject and run the following commands: 
sepolicy-inject -s init -t su -c process -p transition -P /sys/fs/selinux/policy -l
sepolicy-inject -s init -t su -c process -p noatsecure -P /sys/fs/selinux/policy -l
sepolicy-inject -s init -t su -c process -p rlimitinh -P /sys/fs/selinux/policy -l
sepolicy-inject -s init -t su -c process -p siginh -P /sys/fs/selinux/policy -l
but these needs to be run again after reboot. So, I have tried to patch precompiled_sepolicy using following commands: 
sepolicy-inject -s init -t su -c process -p transition -P /vendor/etc/selinux/precompiled_sepolicy -l
sepolicy-inject -s init -t su -c process -p noatsecure -P /vendor/etc/selinux/precompiled_sepolicy -l
sepolicy-inject -s init -t su -c process -p rlimitinh -P /vendor/etc/selinux/precompiled_sepolicy -l
sepolicy-inject -s init -t su -c process -p siginh -P /vendor/etc/selinux/precompiled_sepolicy -l
but the policies are not injected: neither live nor after reboot. To test, I am just checking the date in /sdcard/test file. So, I just want to know: - Why patching precompiled_policy didn't work? - Where to patch the required policies using rooted adb shell that should persist after a reboot?
Asked by Vatish Sharma (1101 rep)
Nov 26, 2019, 06:52 AM
Last activity: Aug 22, 2022, 11:32 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Android Enthusiasts

More questions tagged "root-access"
More questions tagged "selinux"
More questions tagged "init.d"
Footer Ad - 728x90