SEAndroid: How to fix permissive domains not allowed

Question

I've some SEAndroid question, when I create a new domain type for my timestamp process, but there still have some conflict problem with neverallow. Can somebody give me a hint or clue? please see the following descriptions.

avc denied logs:

[ 120.810387] type=1400 audit(932699.049:188): avc: denied { execute_no_trans } for pid=3875 comm="system_server" path="/system/bin/sh" dev="mmcblk0p47" ino=791 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 [ 120.827670] type=1400 audit(932699.049:188): avc: denied { execute_no_trans } for pid=3875 comm="system_server" path="/system/bin/sh" dev="mmcblk0p47" ino=791 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 [ 120.827684] type=1400 audit(932699.069:189): avc: denied { getattr } for pid=3877 comm="sh" path="/system/bin/timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.828287] type=1400 audit(932699.069:189): avc: denied { getattr } for pid=3877 comm="sh" path="/system/bin/timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.828300] type=1400 audit(932699.069:190): avc: denied { execute } for pid=3877 comm="sh" name="timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.828593] type=1400 audit(932699.069:190): avc: denied { execute } for pid=3877 comm="sh" name="timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.828607] type=1400 audit(932699.069:191): avc: denied { read open } for pid=3877 comm="sh" path="/system/bin/timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.828981] type=1400 audit(932699.069:191): avc: denied { read open } for pid=3877 comm="sh" path="/system/bin/timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.828996] type=1400 audit(932699.069:192): avc: denied { execute_no_trans } for pid=3877 comm="sh" path="/system/bin/timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.845574] type=1400 audit(932699.069:192): avc: denied { execute_no_trans } for pid=3877 comm="sh" path="/system/bin/timestamp" dev="mmcblk0p47" ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 [ 120.845587] type=1400 audit(932699.089:193): avc: denied { execute_no_trans } for pid=3879 comm="sh" path="/system/bin/dumpsys" dev="mmcblk0p47" ino=570 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1

My timestamp.te:

type timestamp, domain; type timestamp_exec, exec_type, file_type; init_daemon_domain(timestamp)

My file_contexts:

/system/bin/timestamp        u:object_r:timestamp_exec:s0

My system_server.te:

allow system_server timestamp_exec:file { execute_no_trans getattr execute read open };

Compiler failed Logs:

FAILED: out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/msm8996/obj/ETC/26.0.cil_intermediates/26.0.cil out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy )" neverallow check failed at out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:12033 from system/sepolicy/private/system_server.te:704 (neverallow system_server base_typeattr_218 (file (execute_no_trans))) allow at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:7533 (allow system_server_26_0 timestamp_exec (file (read getattr execute execute_no_trans open))) Failed to generate binary Failed to build policydb

Answer 1

please try to add "mlstrustedsubject, coredomain" at the end of "type timestamp, domain;"

-    type timestamp, domain;

+    type timestamp, domain, mlstrustedsubject, coredomain;