I’m trying to build an AOSP 9 with a new daemon, but the SELinux isn’t allowing me. My sierra_config_ip.te has this beginning of document:
type sierra_config_ip, domain; permissive sierra_config_ip; type sierra_config_ip_exec, exec_type, file_type; init_daemon_domain(sierra_config_ip)
My file_contexts is:
/(vendor|system/vendor)/bin/init.config.ip u:object_r:sierra_config_ip_exec:s0
My init.rc is:
service sierra_config_ip /vendor/bin/init.config.ip class main user root group radio cache inet misc dhcp capabilities BLOCK_SUSPEND NET_ADMIN NET_RAW disabled oneshot
But I always get the following error:
[ 0% 3/56037] build out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows FAILED: out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows /bin/bash -c "(rm -f out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )" libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd sierra_dhcpcd_exec:file { execute entrypoint }; libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip sierra_config_ip_exec:file { execute entrypoint }; libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip toolbox_exec:file { execute execute_no_trans }; libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip dhcp_exec:file { execute execute_no_trans }; libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip shell_exec:file { execute execute_no_trans }; libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd toolbox_exec:file { execute execute_no_trans }; libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_config_ip net_data_file:dir { search }; libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_dhcpcd net_data_file:dir { search }; libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip net_data_file:file { open }; libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip dhcp_data_file:file { create setattr lock map unlink rename open }; libsepol.check_assertions: 10 neverallow failures occurred Error while expanding policy
I don’t know why is not working, I followed the steps described in other topics here, like this one. Can someone help me with this?
Besides that, I tried to disable SELinux to finally be able to build Android. To do this, i put it
enforcing=0 androidboot.selinux=disabled
in BOARD_KERNEL_CMDLINE in BoardConfig.mk but the policys are builded before and the error occurs again!
I also tried putting -sierra_config_ip in domain.te:
full_treble_only(` # Do not allow vendor components to execute files from system # except for the ones whitelist here. neverallow { domain -coredomain -appdomain -vendor_executes_system_violators -vendor_init -evs_domain -sierra_config_ip } { exec_type -vendor_file_type -crash_dump_exec -netutils_wrapper_exec }:file { entrypoint execute execute_no_trans }; ')
But I get the following error:
system/sepolicy/public/domain.te:1005:ERROR 'unknown type sierra_config_ip' at token ';' on line 11251: #line 1005 }:file { entrypoint execute execute_no_trans };
Thanks in advance for any help! 🙂