I'm setting up custom service with custom sepolicy using this as a base:
How to fix SELinux "avc: denied" errors when launching DNSCrypt as init.d script?
In 99% I follow the quick summary from link 1:1 except some small, irrelevant differences like naming, paths, etc. My issue is that now I want config and log files to be read and written (respectively) from the internal storage /sdcard aka /storage/self/primary
Custom sepolicy looks like this
supolicy --live 'allow init my_service process *'
supolicy --live 'allow my_service my_service * *'
supolicy --live 'allow my_service node tcp_socket { node_bind }'
supolicy --live 'allow my_service node udp_socket { node_bind }'
supolicy --live 'allow my_service port tcp_socket { name_bind name_connect }'
supolicy --live 'allow my_service port udp_socket { name_bind }'
supolicy --live 'allow my_service proc_net file { open read }'
supolicy --live 'allow my_service proc_stat file { read }'
supolicy --live 'allow my_service properties_device dir { read }'
supolicy --live 'allow my_service devpts chr_file { open read write }'
dmesg shows me permission denials for
avc: denied { search} [...] scontext=u:r:my_service:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
How can I update current custom policy I load on boot via:
exec u:r:magisk:s0 root root -- /system/bin/load_policy /system/etc/selinux/sepolicy
with new additions? And how would I specify storage_file? Does this object covers whole internal sd memory access or I somehow need to specify path?
UPD:
I collected all selinux denials and allowed them and now I'm in the clear in terms of selinux permissions. Still, I dont have access to storage, process reports error:
[FATAL] open /data/media/0/config/my_config.cfg Permission denied
which makes no sense to me. chown for the file is root/everybody and chmod is 660
