Note selinux trans error happens in permissive. There was an email thread about this recently, and I've been asked many times. For instance, if this error wasn't attributed, denials a service is hitting would be attributed to init, and that's a recipe for disaster. Secondarily, thinking about SELinux whenever you write a new service is good. Bug: N/A Test: N/A Change-Id: Ib9d2c5d8947375a0d4c33ecf3d075caef6b41f70

commit: 9e987cbb1af286c0644716b69e760b7f3fe8a4ed [log] [tgz]
author: Steven Moreland <smoreland@google.com> Thu Apr 09 12:45:03 2020 -0700
committer: Steven Moreland <smoreland@google.com> Thu Apr 09 12:48:46 2020 -0700
tree: d5a8ecbb8a751281e72b5715403ab0892709f88a
parent: e1948bf7443dfef2eee82148e372410ab6f26d6c [diff] [blame]
diff --git a/init/service.cpp b/init/service.cpp
index b12d11a..20400a0 100644
--- a/init/service.cpp
+++ b/init/service.cpp

@@ -90,7 +90,9 @@
                        << "\") has incorrect label or no domain transition from " << mycon.get()
                        << " to another SELinux domain defined. Have you configured your "
                           "service correctly? https://source.android.com/security/selinux/"
-                          "device-policy#label_new_services_and_address_denials";
+                          "device-policy#label_new_services_and_address_denials. Note: this "
+                          "error shows up even in permissive mode in order to make auditing "
+                          "denials possible.";
     }
     if (rc < 0) {
         return Error() << "Could not get process context";
commit	9e987cbb1af286c0644716b69e760b7f3fe8a4ed	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Thu Apr 09 12:45:03 2020 -0700
committer	Steven Moreland <smoreland@google.com>	Thu Apr 09 12:48:46 2020 -0700
tree	d5a8ecbb8a751281e72b5715403ab0892709f88a
parent	e1948bf7443dfef2eee82148e372410ab6f26d6c [diff] [blame]