Search code examples
androidlinuxandroid-sourceselinux

avc denied transition on deamon

i have a bespoke deamon i am adding to my android 8.1 source tree.

but i keep getting the error:

type=1400 audit(21.610:3): avc: denied { transition } for pid=217 comm="init" path="/system/bin/rfidmanagerd" dev="dm-1" ino=293 scontext=u:r:init:s0 tcontext=u:object_r:rfidmanager_exec:s0 tclass=process permissive=1

here is my rfidmanager.te file:

# RFID manager process
type rfidmanager, coredomain;
type rfidmanager_exec, exec_type, file_type;

init_daemon_domain(rfidmanager)
domain_auto_trans(init, rfidmanager_exec, rfidmanager)

# Access system/etc/rfid
allow rfidmanager sysfs:file rw_file_perms;
allow rfidmanager tmpfs:chr_file { read write };
allow rfidmanager sysfs:file write;
allow rfidmanager system_file:file r_file_perms;
# Access /data/misc/rfid.
allow rfidmanager misc_rfid_file:dir create_dir_perms;
allow rfidmanager misc_rfid_file:file create_file_perms;
allow rfidmanager misc_rfid_file:file rw_file_perms;
allow rfidmanager misc_rfid_file:file { read write setattr append unlink link rename };
allow rfidmanager misc_rfid_file:fifo_file { create open read write };
# Access /dev/circchar
allow rfidmanager rfidhal_device:chr_file r_file_perms;
allow rfidmanager rfidhal_device:chr_file { read write };
# Access serial ports
allow rfidmanager tty_device:chr_file r_file_perms;

here is my file_contexts:

/system/bin/rfidmanagerd        u:object_r:rfidmanager_exec:s0

in my init.te file for the denial i have :

allow init rfidmanager_exec:process {transition};

the device needs to have SELinux on enforcing mode. and here is how i start my service in the init.rc file 

service rfidmanagerd /system/bin/rfidmanagerd -c /system/etc/rfid/rfidmanagerd.conf
        class core
        seclabel u:object_r:rfidmanager_exec:s0
        user root
        group root system
        oneshot
start rfidmanagerd

when i try and start the service manually i.e 

su system 
./system/bin/rfidmanagerd

it starts, but using ps -eZ i see the service is as follows: 

u:r:su:s0 system 859 1 4524 360 poll_schedule_timeout 0 S rfidmanagerd

it should however be with the u:object_r:rfidmanager_exec:s0 as i have defined in my contexts.

it does not start automatically which is understandable via the SELinux denial error, however any combination of allow rules for this particular denial seem to be ignored.

when i try and do start rfidmanagerd (as root)in the terminal i get 

[  474.879385] init: starting service 'rfidmanagerd'...
[  474.885868] init: property_set("ro.boottime.rfidmanagerd", "474879774055") failed: property already set
[  474.915929] init: cannot execve('/system/bin/rfidmanagerd'): Permission denied
[  474.925563] type=1400 audit(480.580:9): avc: denied { transition } for pid=998 comm="init" path="/system/bin/rfidmanagerd" dev="dm-1" ino=381 scontext=u:r:init:s0 tcontext=u:object_r:rfidmanager_exec:s0 tclass=process permissive=0

I understand the denial, but dont understand why my allow rule is not fixing this...

everything runs fine when i am in permissive mode, but as i said i cannot have it in permissive.

Any help would be greatly appreciated!

Thanks

UPDATE -- I HAVE HAD THIS MIGRATED FROM ANDROID ENTHUSIASTS TO STACKEXCHANGE BACK TO ANDROID ENTHUSIASTS - it keeps getting moved, can someone please help me!

Solution

  • for anyone who is having a similar issue....Android 8.1 needs the coredomain to not have a neverallow rule, when compiling the selinux!

    However, this has some issues with selinux resolving the setexeccontext.

    so the first line in my .te file should read -

    type rfidmanager, coredomain, domain;

    instead of just 

    type rfidmanager, coredomain;

    i hope this helps anyone.