when i add a new service, and find the error as follow:
SELinux : avc: denied { add } for service=xxxManagerService pid=3798 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
then i add allow in system_server.te:
allow system_server default_android_service:service_manager { add };
but build error happened:
libsepol.report_failure: neverallow on line 517 of system/sepolicy/public/domain.te (or line 10355 of policy.conf) violated by allow system_server default_android_service:service_manager { add };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/sti6030d111/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 11% 22/200] target thumb C++: libpqcontrol <= vendor/amlogic/common/frameworks/services/systemcontrol/PQ/SSMAction.cpp
what should i do to make it, and pass cts.
Android comes with a long list of
neverallowrules that make sure you don't give permissions which break the security of your device. Fortunately, theseneverallowrules are well documented in the code. If you look up line 517 insystem/sepolicy/public/domain.teyou'll find this:You probably used the
audit2allowto create the rule. This seems to be an easy solution at first, but it will almost always result in rule set that is hard to read. In the end there is no other way than understanding the basics of SELinux in Android.See here for more information.
I cannot give you an example of what to do now as the things you need to do depend on the type of service you want to add.