Neverallow failures occurred Error while expanding policy in AOSP10

To add service in sepolicy:
I have followed below steps to create and register service in sepolicy

Steps 1: Create script file
verifyusb.sh
#!/system/bin/sh
echo “Hello USB”
+++some logic ++

step 2 : verifyusb.sh copied into system/bin/
LOCAL_DEVICE_MEDIA := device/xxx/XXX/verifyusb.sh:system/bin/verifyusb.sh

step 3 : added verifyusb.sh into init.rc
device/xxx/xxx/rcs/init.rc

on boot
exec - root root system readproc – /system/bin/verifyusb.sh

step 4 : Created .te file
Path : device/xxx/xxx/sepolicy/xxx/verifyusb.te
type verifyusb, domain;
type verifyusb_exec, exec_type, file_type;
init_daemon_domain(verifyusb)

Step 5 : register file in to device/xxx/xxx/sepolicy/xxx/file_contexts

/system/bin/verifyusb.sh u:object_r:verifyusb_exec:s0

Step 6 : Compiled and got this error:

[ 98% 902/918] build out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests
FAILED: out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests
/bin/bash -c “(out/host/linux-x86/bin/sepolicy_tests -l out/host/linux-x86/lib64/libsepolwrap.so -f out/target/product/xxx/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts -f out/target/product/xxx/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -p out/target/product/xxx/obj/ETC/sepolicy_intermediates/sepolicy ) && (touch out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )”
The following types on /system/ must be associated with the “system_file_type” attribute: verifyusb_exec

Step7 :To resolve above error added “system_file_type” verifyusb.te file.
type verifyusb, domain;
type verifyusb_exec, system_file_type, exec_type, file_type;
init_daemon_domain(verifyusb)

step8 : Complied source code got another error:

        [ 89% 818/918] build out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows

FAILED: out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c “(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/policy.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp neverallow -w -f out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/policy_2.conf || ( echo “” 1>&2; echo “sepolicy-analyze failed. This is most likely due to the use” 1>&2; echo “of an expanded attribute in a neverallow assertion. Please fix” 1>&2; echo “the policy.” 1>&2; exit 1 ) ) && (touch out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp ) && (mv out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows )”
libsepol.report_failure: neverallow on line 1029 of system/sepolicy/public/domain.te (or line 14463 of policy.conf) violated by allow verifyusb verifyusb_exec:file { read getattr map execute entrypoint open };
libsepol.report_failure: neverallow on line 952 of system/sepolicy/public/domain.te (or line 14295 of policy.conf) violated by allow verifyusb verifyusb_exec:file { execute entrypoint };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
14:43:54 ninja failed with: exit status 1
build/make/core/main.mk:21: recipe for target ‘run_soong_ui’ failed
make: *** [run_soong_ui] Error 1

Look like you defined a se rules which is not allowed, what is indicated at this lines?

Thank you @Loic for your reply.
fyi , I am working on android 10.

line no 1029 system/sepolicy/public/domain.te:

neverallow {
domain
-appdomain
-coredomain
-vendor_executes_system_violators
# vendor_init needs access to init_exec for domain transition. vendor_init
# neverallows are covered in public/vendor_init.te
-vendor_init
} {
system_file_type
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
-system_lib_file
with_asan(`-system_asan_options_file’)

-system_linker_exec
-system_linker_config_file
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec’)
}:file *;
')

line no 952 of system/sepolicy/public/domain.te :

full_treble_only(`

# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
neverallow {
    domain
    -coredomain
    -appdomain
    -vendor_executes_system_violators
    -vendor_init
} {
    system_file_type
    -system_lib_file
    -system_linker_exec
    -crash_dump_exec
    -netutils_wrapper_exec
    userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };

')

Put your script on the vendor partition where it belongs.

And as I’ve already told you in one of the dozen or so other threads you’re playing around in, don’t modify the init.rc. You should be creating your own rc file, in /vendor/etc/init/.

Hi @doitright Thanks you reply.
I have followed suggestion,But shell script not running while booting device.

We tried to start the service manually from the shell (#start verifyusb), but we are getting below error :

Received control message ‘start’ for ‘verifyusb’ from pid: 6599 (start verifyusb)
[ 1461.358006] init: starting service ‘verifyusb’…
[ 1461.376901] type=1400 audit(1586847468.858:61): avc: denied { getattr } for comm=“ProcessService0” path="/data/data/com.google.android.apps.mediashell" dev=“mmcblk1p17” ino=1048 scontext=u:r:isolated_app:s0:c41,c291,c512,c768 tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir permissive=0 b/119596573
[ 1461.377099] type=1400 audit(1586847978.657:62): avc: denied { read } for comm=“verifyusb” path="/system/bin/sh" dev=“dm-0” ino=669 scontext=u:r:verifyusb:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0
Received control message ‘start’ for ‘verifyusb’ from pid: 6606 (start verifyusb)
[ 1519.064603] init: starting service ‘verifyusb’…
[ 1519.078408] init: Service ‘verifyusb’ (pid 6607) received signal 11

Below are the steps, we have followed to create service in SEPolicy :
Created .rc file and included init.{ro.hardware}.rc.

step1: init.{ro.hardware}.rc:
import /vendor/etc/init/hw/init.verifyusb.rc

step2: init.verifyusb.rc:

on boot
start startusb

service startusb /vendor/bin/startusb
class main
user root
oneshot
seclabel u:r:startusbs0
step3 :3. Created .te file @ “device/xxxxx/xxxx/sepolicy/treble/verifyusb.te”.

          type verifyusb, domain;
          type verifyusb_exec, exec_type, vendor_file_type , file_type;
          init_daemon_domain(verifyusb)
  1. Registered script file @ /device/xxxxx/xxx/sepolicy/treble/file_contexts.

/vendor/bin/verifyusb.sh u:object_r:verifyusb_exec:s0

I’m not going to do this for you. You’ve made a bunch of mistakes, some of which are a failure to listen to what you’ve been told to do (in particular, reread my previous message in this thread), and some of them are oversights, which are clearly indicated on the output from your process. Such as trying to use /system/bin/sh from a vendor process. That is not allowed.

Thanks for your reply.
I have done mistakes. But I am trying to correct.
I could not able to understand where I have done mistake.