avc : denied { find } for service=android.os.UpdateEngineService

[Arabi]

Background: I have customized an AOSP distribution and created a custom OTA updater service to integrate with it. But whenever I call the updater service, the following error message is generated:

E/SELinux: avc: denied { find } for service=android.os.UpdateEngineService pid=22801 uid=10024 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager permissive=0

Diagnosis: Based on the error message, our app is being built as a platform_app. As a result, we are not being allowed to access the path '/data/' on the system.

Possible solution: There might be two approaches towards the solution:

1. Build the app as a system_app

OR,

2. Build the app as a plaform_app and change SELinux config so that the app is granted necessary access to '/data/' on the system.

Main question: Am I heading towards the right direction with the understanding and possible solutions stated here? If not, what am I missing and what should be done in order to fix this issue?

[Yong Ma]

priv_app is allowed. See https://android.googlesource.com/platform/system/sepolicy/+/refs/tags/android-9.0.0_r45/private/priv_app.te#104

You should sign your apk with dev (not platform) certificate and build it in priv-app. And then the app will be labled as priv-app.

在 2019年6月20日星期四 UTC+8下午10:06:47，Arabi写道：

[Yong Ma]

Your should build your app as priv-app(put it in /system/priv-app, and not sign it with platform key). priv-app is allowed to call UpdateEngineService.

在 2019年6月20日星期四 UTC+8下午10:06:47，Arabi写道：

Background: I have customized an AOSP distribution and created a custom OTA updater service to integrate with it. But whenever I call the updater service, the following error message is generated:

[Abhishek Subal]

If you want to keep building as platform-app you can surely change the SELinux policies and that should solve your AVC Denial