To add service in sepolicy:
I have followed below steps to create and register service in sepolicy
Steps 1: Create script file
verifyusb.sh
#!/system/bin/sh
echo “Hello USB”
+++some logic ++
step 2 : verifyusb.sh copied into system/bin/
LOCAL_DEVICE_MEDIA := device/xxx/XXX/verifyusb.sh:system/bin/verifyusb.sh
step 3 : added verifyusb.sh into init.rc
device/xxx/xxx/rcs/init.rc
on boot
exec - root root system readproc – /system/bin/verifyusb.sh
step 4 : Created .te file
Path : device/xxx/xxx/sepolicy/xxx/verifyusb.te
type verifyusb, domain;
type verifyusb_exec, exec_type, file_type;
init_daemon_domain(verifyusb)
Step 5 : register file in to device/xxx/xxx/sepolicy/xxx/file_contexts
/system/bin/verifyusb.sh u:object_r:verifyusb_exec:s0
Step 6 : Compiled and got this error:
[ 98% 902/918] build out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests
FAILED: out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests
/bin/bash -c “(out/host/linux-x86/bin/sepolicy_tests -l out/host/linux-x86/lib64/libsepolwrap.so -f out/target/product/xxx/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts -f out/target/product/xxx/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -p out/target/product/xxx/obj/ETC/sepolicy_intermediates/sepolicy ) && (touch out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )”
The following types on /system/ must be associated with the “system_file_type” attribute: verifyusb_exec
Step7 :To resolve above error added “system_file_type” verifyusb.te file.
type verifyusb, domain;
type verifyusb_exec, system_file_type, exec_type, file_type;
init_daemon_domain(verifyusb)
step8 : Complied source code got another error:
[ 89% 818/918] build out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c “(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/policy.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp neverallow -w -f out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/policy_2.conf || ( echo “” 1>&2; echo “sepolicy-analyze failed. This is most likely due to the use” 1>&2; echo “of an expanded attribute in a neverallow assertion. Please fix” 1>&2; echo “the policy.” 1>&2; exit 1 ) ) && (touch out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp ) && (mv out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp out/target/product/xxx/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows )”
libsepol.report_failure: neverallow on line 1029 of system/sepolicy/public/domain.te (or line 14463 of policy.conf) violated by allow verifyusb verifyusb_exec:file { read getattr map execute entrypoint open };
libsepol.report_failure: neverallow on line 952 of system/sepolicy/public/domain.te (or line 14295 of policy.conf) violated by allow verifyusb verifyusb_exec:file { execute entrypoint };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
14:43:54 ninja failed with: exit status 1
build/make/core/main.mk:21: recipe for target ‘run_soong_ui’ failed
make: *** [run_soong_ui] Error 1