Why dose init process still check selinux of HAL although SElinux is disabled already

[Hưng Vũ]

Hi everyone! I am creating new HIDL and HAL in android 9. Because in develop progress, I disabled SElinux. But when I booted my device, an error occured

[    7.677013] init: Could not start service 'vendor.hvuleds-hal-2-0' as part of class 'hal': File /vendor/bin/hw/android.hardware.hvuleds2.0-service.sony(labeled "u:object_r:vendor_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined. Have you configured your service correctly? https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials

By adding new sepolicy for it, I solved this problem and my HAL works well. But one thing I can not understand is why init process needs to check SElinux in while I disabled it already ?

This checking is implemented by a function named ComputeContextFromExecutable. Can anyone explain this to me ?

Thank All !!!

[Bilal Ahmed]

Hi Hungvu,

This is an issue with Android version 8.1 and newer versions even if you set SELinux to permissive it still requires to define a domain. Therefore you are requested to either define a basic domain for your hal and add your hal to that domain or if you just wanna perform some basic testing then temporarily use any other predefined domain. Once your module is finalized then you may define a new domain for it and then run in permissive mode to find the missing SELinux policies.

Best regards,
Bilal

[Hưng Vũ]

Now I understand ! Thanks for your answer !

Vào 22:27:28 UTC+7 Chủ Nhật, ngày 05 tháng 4 năm 2020, Bilal Ahmed đã viết: