Fabio De Lorenzo - notepad

To check if you have failures under SELinux:

adb root
adb shell
cat /proc/kmsg | grep -i avc

><36>[ 134.617184] (0)[230:logd.auditd]type=1400 audit(1522507474.770:24): avc: denied { create } for pid=2918 comm="reen.app.tablet" name="realm_6711365682213135548.cv" scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=fifo_file permissive=0

In this example, realm was blocked
to disable SELinux (must have aosp in userdebug or eng) and adb root:
setenforce 0


Making a real (production) rule:
cd/<AOSP_ROOT_FOLDER>
export ANDROID_BUILD_TOP=$PWD
adb logcat -b all -d > mylogcat
./external/selinux/prebuilts/bin/audit2allow -p out/target/product/elink8176_tb_n/root/sepolicy < mylogcat

This is my output:
#============= autokd ==============
allow autokd system_prop:property_service set;

#============= cameraserver ==============
allow cameraserver default_prop:property_service set;

#============= pq ==============
allow pq debug_prop:property_service set;

#============= system_app ==============
allow system_app system_app_data_file:fifo_file { read write };

Now I want to enable system_app so I add this rule to:
./device/mediatek/mt8173/sepolicy/basic/system_app.te

Check the status of SELinux:
adb shell getenforce


Disable SELinux enforcement
using adb:

Or at the kernel command line (during early device bring-up):


In BoardConfig.mk add:
+CONFIG_CMDLINE="androidboot.selinux=permissive"
example
elink/elink8176_tb_n/BoardConfig.mk
mediatek/mt8173/BoardConfig.mk

After booting, check the kernel bootargs:

console=tty0 console=ttyMT0,921600n1 root=/dev/ram console=ttyS0,921600n1 androidboot.hardware=mt8173 androidboot.verifiedbootstate=green bootopt=64S3,32N2,64N2 androidboot.selinux=permissive printk.disable_uart=1 bootprof.pl_t=3517 bootprof.lk_t=2108 boot_reason=4 androidboot.serialno=FXN2018020174 androidboot.bootreason=wdt_by_pass_pwk


read:
https://source.android.com/security/sel ... ice-policy
https://source.android.com/security/sel ... permissive