When attempting to add System Services for Android 4.4.4, permission may be denied due to the Security Enhanced (SE) Linux Mechanism.
Below is a console log output from Android 4.4.4's boot process whilst trying to add a user defined service named 'foo'. Line 3 shows permission denied by SELinux for an 'add' operation.
For security, SELinux operates on a whitelist policy where services must be forward declared in an exceptions list in order to be granted permission to run. The intention is to prohibit any unwanted services granted themselves potentially dangerous permissions hence 'enhancing' the overall security and integrity of the operating system.
Read more about SELinux
here.
There are 2 methods to allow user defined system services
1. Add exceptions entries the the SELinux service list (recommended)
Android's SELinux service list is stored in file:
/external/sepolicy/service_contexts
'foo' can be added to the list as a system service as shown in the snippet below.
2. Disable the SELinux Mechanism
The SELinux mechanism can be disabled altogether by altering Linux's initialization process. The
init.rc found in
/system/core/rootdir/init.rc
must be modified to include
setenforce 0. Alternatively,
setenforce 1 or removing the command would re-enable SElinux. The command has been included in
init.rc under
on init in the snippet below.
