Stephen Smalley  committed d74e283

Set SELinux security contexts correctly for init and services.

Otherwise everything is left running in the kernel domain when
booting recovery.

Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <>

  • Participants
  • Parent commits c64e76c
  • Branches seandroid-4.4.2

Comments (0)

Files changed (1)

 import /init.recovery.${ro.hardware}.rc
 on early-init
+    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
+    write /sys/fs/selinux/checkreqprot 0
+    # Set the security context for the init process.
+    # This should occur before anything else (e.g. ueventd) is started.
+    setcon u:r:init:s0
     start ueventd
     start healthd
 service ueventd /sbin/ueventd
+    seclabel u:r:ueventd:s0
 service healthd /sbin/healthd -n
+    seclabel u:r:healthd:s0
 service recovery /sbin/recovery
+    seclabel u:r:recovery:s0
 service adbd /sbin/adbd recovery
     socket adbd stream 660 system system
+    seclabel u:r:adbd:s0
 # Always start adbd on userdebug and eng builds
 on property:ro.debuggable=1