init warning: Service myservice needs a SELinux domain defined. Please fix

Question

I want to excute an executable on boot On a target board with Android 5.1 so I add this in init.rc:

on boot
    start myservice

service myservice /system/bin/myservice
    #class main
    user root
    group root
    #oneshot   

I did the unpack and repack job.
When changes are made, however, the screen keeps printing:

 init warning: Service myservice needs a SELinux domain defined. Please fix.
 type=1400 ... avc:denied ... scontext ... tcontext ... #some annoying warning messages like this

SELinux seems a huge project for me. I just want to avoid that. I tried two approaches:

1. setenv kernelargs 'console=ttyS0,115200n8 rootdelay=1 selinux=0' and saveenv
2. set enforce 0

For method 1, printenv gives the result:

kernelargs=console=ttyS0,115200n8 rootdelay=1 selinux=0

So you see, changes have been made. But the warning messages keeps printing after rebooting.
For method 2, it says:

Could not set enforce status. Permission denied.

So now I'm trapped in the dilema have no idea where to go. My questions:

• 1. Anyone knows how to disable or set permissive mode in android?
• 2. Which files should I modify if I want to define domain for the new service?

Besides, ls -Z /system/bin/myservice gives this:

u:object_r:system_file:s0

Answer 1

1. you need su to set permissive mode. Or you need source code to disable SELinux, such as disable SELinux in kernel config, or disable SELinux in BOARD_KERNEL_CMDLINE in device/vendor_name/product_name/BoardConfig.mk.

2. if you have the source code, you can define the new domain as you wish.

Please refer to the Android official documents: https://source.android.com/security/selinux/device-policy

section: Label new services and address denials

Answer 2

You have to add the seclabel attribute to the service in your init.rc file, but I don't know if your context will work. I just implemented it myself with the init_exec context:

$ grep yourservice system/sepolicy/file_contexts
/system/bin/vpd u:object_r:init_exec:s0

$ ls -Z path/to/system/bin/yourservice
u:object_r:init_exec:s0 path/to/system/bin/yourservice

$ grep yourservice device/brand/product/init.rc  -A 5
service yourservice /system/bin/yourservice
    seclabel u:r:init:s0
    user root
    group root
    oneshot

Disabling SELinux on Android isn't hard and there are many threads treating the question. Just add either one of the following to your kernel command line parameters (i.e bootargs in U-Boot):

androidboot.selinux=permissive
androidboot.selinux=disabled