[SOLVED] How to fix SELinux "avc: denied" errors when launching DNSCrypt as init.d script?

I've installed an unofficial lineage OS 14.1 ROM on my phone and i want to have dnscrypt used on boot by default.

There is what i have done:

Download arm binaries from: https://github.com/jedisct1/dnscrypt-proxy/releases
Push dnscrypt-proxy in /system/xbin
Push dnscrypt-proxy.toml in /etc/dnscrypt-proxy/

Created the following script: /etc/init.d/99dnscrypt

#!/system/bin/sh
log -p i -t dnscrypt "Starting dnscrypt-proxy..."
dnscrypt-proxy -config /system/etc/dnscrypt-proxy/dnscrypt-proxy.toml &
log -p i -t dnscrypt "Changing dns with iptables..."
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53

Reboot

Now if i launch 99dnscrypt as root from adb it works like a charm

But on boot it does not.

On logcat i see this errors:

02-07 01:00:22.369   267   267 I sysinit : Running /system/etc/init.d/99dnscrypt 
02-07 01:00:22.540   275   275 I dnscrypt: Starting dnscrypt-proxy... 
02-07 01:00:22.878   278   278 I dnscrypt: Changing dns with iptables... 
02-07 01:00:23.236   277   277 W dnscrypt-proxy: type=1400 audit(0.0:28): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:23.236   277   277 W dnscrypt-proxy: type=1300 audit(0.0:28): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=274 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:24.238   277   277 W dnscrypt-proxy: type=1400 audit(0.0:45): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:24.238   277   277 W dnscrypt-proxy: type=1300 audit(0.0:45): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:28.242   277   277 W dnscrypt-proxy: type=1400 audit(0.0:82): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:28.242   277   277 W dnscrypt-proxy: type=1300 audit(0.0:82): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:29.233   277   277 W dnscrypt-proxy: type=1400 audit(0.0:94): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:29.233   277   277 W dnscrypt-proxy: type=1300 audit(0.0:94): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:30.234   277   277 W dnscrypt-proxy: type=1400 audit(0.0:105): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:30.234   277   277 W dnscrypt-proxy: type=1300 audit(0.0:105): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:31.235   277   277 W dnscrypt-proxy: type=1400 audit(0.0:121): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:31.235   277   277 W dnscrypt-proxy: type=1300 audit(0.0:121): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:32.236   277   277 W dnscrypt-proxy: type=1400 audit(0.0:145): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:32.236   277   277 W dnscrypt-proxy: type=1300 audit(0.0:145): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:33.247   458   458 W dnscrypt-proxy: type=1400 audit(0.0:146): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:33.247   458   458 W dnscrypt-proxy: type=1300 audit(0.0:146): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:34.248   458   458 W dnscrypt-proxy: type=1400 audit(0.0:147): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:34.248   458   458 W dnscrypt-proxy: type=1300 audit(0.0:147): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:35.249   458   458 W dnscrypt-proxy: type=1400 audit(0.0:148): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:35.249   458   458 W dnscrypt-proxy: type=1300 audit(0.0:148): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:36.250   458   458 W dnscrypt-proxy: type=1400 audit(0.0:149): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:36.250   458   458 W dnscrypt-proxy: type=1300 audit(0.0:149): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:37.251   458   458 W dnscrypt-proxy: type=1400 audit(0.0:150): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:37.251   458   458 W dnscrypt-proxy: type=1300 audit(0.0:150): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:38.242   458   458 W dnscrypt-proxy: type=1400 audit(0.0:151): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:38.242   458   458 W dnscrypt-proxy: type=1300 audit(0.0:151): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:39.244   458   458 W dnscrypt-proxy: type=1400 audit(0.0:152): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:39.244   458   458 W dnscrypt-proxy: type=1300 audit(0.0:152): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:40.245   458   458 W dnscrypt-proxy: type=1400 audit(0.0:153): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:40.245   458   458 W dnscrypt-proxy: type=1300 audit(0.0:153): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:41.246   458   458 W dnscrypt-proxy: type=1400 audit(0.0:154): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:41.246   458   458 W dnscrypt-proxy: type=1300 audit(0.0:154): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:42.247   458   458 W dnscrypt-proxy: type=1400 audit(0.0:155): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:42.247   458   458 W dnscrypt-proxy: type=1300 audit(0.0:155): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:43.248   458   458 W dnscrypt-proxy: type=1400 audit(0.0:156): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:43.248   458   458 W dnscrypt-proxy: type=1300 audit(0.0:156): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:44.249   458   458 W dnscrypt-proxy: type=1400 audit(0.0:157): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:44.249   458   458 W dnscrypt-proxy: type=1300 audit(0.0:157): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:46.251   458   458 W dnscrypt-proxy: type=1400 audit(0.0:185): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:46.251   458   458 W dnscrypt-proxy: type=1300 audit(0.0:185): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:47.252   458   458 W dnscrypt-proxy: type=1400 audit(0.0:186): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:47.252   458   458 W dnscrypt-proxy: type=1300 audit(0.0:186): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:48.243   458   458 W dnscrypt-proxy: type=1400 audit(0.0:187): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:48.243   458   458 W dnscrypt-proxy: type=1300 audit(0.0:187): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:49.254   458   458 W dnscrypt-proxy: type=1400 audit(0.0:188): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:49.254   458   458 W dnscrypt-proxy: type=1300 audit(0.0:188): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:50.255   458   458 W dnscrypt-proxy: type=1400 audit(0.0:189): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:50.255   458   458 W dnscrypt-proxy: type=1300 audit(0.0:189): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:51.256   458   458 W dnscrypt-proxy: type=1400 audit(0.0:190): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:51.256   458   458 W dnscrypt-proxy: type=1300 audit(0.0:190): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:52.257   458   458 W dnscrypt-proxy: type=1400 audit(0.0:191): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:52.257   458   458 W dnscrypt-proxy: type=1300 audit(0.0:191): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:53.259   458   458 W dnscrypt-proxy: type=1400 audit(0.0:192): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:53.259   458   458 W dnscrypt-proxy: type=1300 audit(0.0:192): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:54.260   458   458 W dnscrypt-proxy: type=1400 audit(0.0:193): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:54.260   458   458 W dnscrypt-proxy: type=1300 audit(0.0:193): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:55.261   458   458 W dnscrypt-proxy: type=1400 audit(0.0:194): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:55.261   458   458 W dnscrypt-proxy: type=1300 audit(0.0:194): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:56.262   458   458 W dnscrypt-proxy: type=1400 audit(0.0:195): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:56.262   458   458 W dnscrypt-proxy: type=1300 audit(0.0:195): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:57.253   458   458 W dnscrypt-proxy: type=1400 audit(0.0:196): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:57.253   458   458 W dnscrypt-proxy: type=1300 audit(0.0:196): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:58.254   458   458 W dnscrypt-proxy: type=1400 audit(0.0:197): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:58.254   458   458 W dnscrypt-proxy: type=1300 audit(0.0:197): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:59.255   458   458 W dnscrypt-proxy: type=1400 audit(0.0:198): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:59.255   458   458 W dnscrypt-proxy: type=1300 audit(0.0:198): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:01:00.256   458   458 W dnscrypt-proxy: type=1400 audit(0.0:203): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:01:00.256   458   458 W dnscrypt-proxy: type=1300 audit(0.0:203): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:01:01.257   458   458 W dnscrypt-proxy: type=1400 audit(0.0:204): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:01:01.257   458   458 W dnscrypt-proxy: type=1300 audit(0.0:204): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:01:02.258   458   458 W dnscrypt-proxy: type=1400 audit(0.0:207): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:01:02.258   458   458 W dnscrypt-proxy: type=1300 audit(0.0:207): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)

What is the difference between executing this as root after boot and launch it from init.d? Any idea how i can solve this?

1 comments

@Irfan Latif 2019-02-10 18:31:48

Pardon me if I fail to sum up the wast subject in a brief answer :)

SELINUX AND AVC DENIALS

Android is based on Linux kernel that makes use of Discretionary and Mandatory Access Controls (DAC, MAC) to restrict access to system resources such as files on a certain filesystem. DAC includes classic UNIX RWX file modes, owner/group or UID/GID, Extended Attributes and Access Control Lists. XATTR and ACL are rarely used filesystem related attributes, though MAC also makes use of XATTRs. Root user (UID: 0) is the super user (administrator) within DAC mechanism which can bypass all permission checks imposed by kernel. To make controls more fine-grained, authorities of root user are further divided in subgroups called capabilities.

Coming to MAC, SELinux and AppArmor are commonly used Mandatory Access Control mechanisms. In SELinux model, every file/process is labeled with a context and rules are defined to allow a context access the other.
Say, we want to run command ls with context my_process on a file with context my_file, rule must be defined to allow this access:

allow my_process my_file file { getattr read open }

Otherwise access will be denied with error something like:

avc: denied { open } for pid=... comm="ls" path=... scontext=u:object_r:my_process:s0 tcontext=u:object_r:my_file:s0 tclass=file permissive=0

^{* File SELinux labels can be changed with chcon while processes can be started with a given context using runcon command.}

SELINUX ON ANDROID

Android uses SELinux as part of its security implementations. When a ROM is compiled for a specific device, thousands of SE Policy rules are defined to allow all possible desired accesses. These rules are compiled into a binary file /sepolicy which is placed at root of initramfs in boot.img. This file is loaded during early boot process by init; the very first process that starts all other processes.
Init also starts different processes/services with different contexts as defined in their init *.rc files.
All filesystem labels are stored in multiple files saved in rootfs or at /system/etc/selinux/*_contexts, /vendor/etc/selinux/*_contexts etc. These labels can be restored by restorecon command.

ROOTING AND SELINUX

Now if you want to start a process with different context that hasn't been explicitly allowed in SE Policy, you need to define new rules. However that's not possible under normal circumstances as DAC, MAC and capabilities together won't let you do that. Here comes rooting the phone; let's take example of Magisk.
Magisk starts a daemon as an init service that lets any non-privileged process ask for super user rights. So the problem of UID 0 and lack of capabilities is resolved. In order to address SELinux denials, Magisk defines two new contexts: magisk for proccesses and magisk_file for filesystem. Then rules are defined to allow all access attempts from/to these contexts and /sepolicy is replaced with modified policy file. From now onward any processes running with Magisk rights won't be disallowed from doing anything. This could be really dangerous.

Now coming to your question,
You are starting a process with context u:r:sysinit:s0 which isn't allowed in policy to access all resources it needs. So what you can do is:

OPTION 1:
Run init.d scripts with root's privileges and forget about denials; DAC or MAC. Magisk, for instance, executes scripts placed in /data/adb/*.d directories on boot.
But as a common practice, processes shouldn't be given unnecessary privileges.

OPTION 2:
Set SELinux permissive:

/system/bin/setenforce 0
# OR
echo 0 >/sys/fs/selinux/enforce

But it disables SELinux for whole device which isn't recommended. So instead:

OPTION 3:
Set only sysinit to permissive:

/sbin/supolicy --live 'permissive sysinit'
# or let sysinit do anything without logging denials
/sbin/supolicy --live 'allow sysinit * *'

^{* supolicy tool is part of Magisk to manipulate SELinux policy. You can also use sepolicy-inject or similar tool.}

All of the above solutions are a quick workaround but if you don't want to leave anything loose, go ahead.

OPTION 4:
We can define SEPolicy rules for sysinit context and save that as our default policy to be loaded on boot. For instance, avc denial in your log:

avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0

can be converted to an SEPolicy rule:

allow sysinit sysinit udp_socket { create }

sysinit is an init service added to some custom ROMs that executes scripts under /system/etc/init.d/, but it's not a standard AOSP service and the UID, GID, supplementary groups, capabilities and SELinux contexts that this service runs with may differ on different devices.
So in a more general perspective, let's create a new dnscrypt-proxy init service with desired context and additionally with desired UID/GID/groups/capabilities to grant least required privileges.

HOW TO ADD CUSTOM INIT SERVICE TO ANDROID?

Place executable binary at /system/xbin/dnscrypt-proxy
Create directory /etc/dnscrypt-proxy, configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml and optionally /etc/dnscrypt-proxy/blacklist.txt if needed.
```
listen_addresses = ['127.0.0.1:55']

[blacklist]
  blacklist_file = '/system/etc/dnscrypt-proxy/blacklist.txt'

[static]
  [static.'cloudflare']
  stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk'
```
- I'm using here port 55 because otherwise dnsmasq server will fail to listen on pre-occupied port 53 when tethering is turned on, causing hotspot to fail.
- Private DNS (DoT) feature introduced in Android Pie doesn't use port 53. To enforce dnscrypt-proxy, Private DNS should be disabled.

Create /etc/init/dnscrypt-proxy.rc.

# define service
service dnscrypt-proxy /system/bin/logwrapper /system/xbin/dnscrypt-proxy -config /system/etc/dnscrypt-proxy/dnscrypt-proxy.toml
    seclabel u:r:dns_crypt:s0
    user 999
    group 999 3003
    disabled
    capabilities NET_BIND_SERVICE

# start dnscrypt-proxy after netd daemon
on property:init.svc.netd=running
    start dnscrypt-proxy

# redirect all DNS queries to dnscrypt-proxy
on property:init.svc.dnscrypt-proxy=running
    exec u:r:dns_crypt:s0 root root -- /system/bin/iptables -w 60 -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:55
on property:init.svc.dnscrypt-proxy=stopped
    exec u:r:dns_crypt:s0 root root -- /system/bin/iptables -w 60 -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:55

Process doesn't need to be run as root. Use non-privileged UID 999 or any other UID not used by Android OS.
In order to access internet, process needs to be in group aid_inet (3003) or have the capability NET_RAW (create socket), and should have capability NET_BIND_SERVICE (bind to socket).
If you are using a firewall (like AFWall+) to block outbound traffic, you need to explicitly allow UID 999 on every boot:
```
~# iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT
```

To forward hostpot traffic through dnscrypt-proxy:

~# iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to 127.0.0.1:55
~# echo -n 1 >/proc/sys/net/ipv4/conf/all/route_localnet

Define SEPolicy rules:

~# supolicy --live 'create dns_crypt'                  # create new context
~# supolicy --live 'allow init dns_crypt process *'    # let init handle the service
~# supolicy --live 'allow dns_crypt dns_crypt * *'     # allow mutual love

In the same way:

# allow access to files under /system
    allow dns_crypt system_file dir { read open }
    allow dns_crypt system_file file { lock entrypoint execute_no_trans }
# allow creatig/connecting to net sockets
    allow dns_crypt node tcp_socket { node_bind }
    allow dns_crypt node udp_socket { node_bind }
    allow dns_crypt port tcp_socket { name_bind name_connect }
    allow dns_crypt port udp_socket { name_bind }
# allow reading /proc and /dev filesystem
    allow dns_crypt proc_net file { open read }
    allow dns_crypt proc_stat file { read }
    allow dns_crypt properties_device dir { read }
# allow writing to logcat, logging to file requires different AVC rules
    allow dns_crypt devpts chr_file { open read write }

That's what works for me on AEX Pie ROM. However the labels and contexts may slightly differ on different Android versions and on different phones.
For testing, you can set SELinux permissive on boot by adding a line temporarily to dnscrypt-proxy.rc file:
```
...
...
on property:init.svc.netd=running
    exec u:r:magisk:s0 root root -- /system/bin/setenforce 0
    start dnscrypt-proxy
...
...
```
Then use dmesg to see avc denials and define any further rules.

Save and load policy file.
```
~# supolicy --save /etc/selinux/sepolicy
```
Live injecting a large number of rules to policy takes longer. Since these rules need to be loaded on every boot, save them as default sepolicy file.
- Unpack boot.img and replace the /sepolicy file with yours. In this way the service will work even if the phone is not rooted.
- However if you don't want to modify boot.img, you can take support from Magisk to load custom policy on boot before the dnscrypt-proxy service is started. It's because even init on its own can't load any custom policy once SELinux is set enforcing after loading default policy.
```
...
...
on property:init.svc.netd=running
    exec u:r:magisk:s0 root root -- /system/bin/load_policy /system/etc/selinux/sepolicy
    start dnscrypt-proxy
...
...
```

Set permissions and fix contexts:

~# chmod 0755 /etc/dnscrypt-proxy /system/xbin/dnscrypt-proxy
~# chmod 0644 /etc/init/dnscrypt-proxy.rc /etc/dnscrypt-proxy/* /etc/selinux/sepolicy
~# restorecon -Rv /system/xbin/dnscrypt-proxy /etc/*

Reboot.

You have a harmless, innocent-looking dnscrypt-proxy service running on your device.

@beeshyams 2019-02-10 19:56:34

+1. As ever very detailed :)

@wellsaid 2019-02-13 12:03:34

Hi, this seems very promising! however in my rom (based on lineage OS 14.1) adding /etc/init/dnscrypt-proxy.rc does not seem to start the process (file permissions seem right). How can i verify its working? Furthermore i have no supolicy command.

@Irfan Latif 2019-02-13 12:52:43

Set SELinux permissive for testing initially. May be you need to define extra AVC rules. Once everything is in place, switch to enforcing mode. logwrapper writes to Android's logcat, so you can confirm by logcat | grep dnscrypt. supolicy comes with Magisk.

@wellsaid 2019-02-14 14:20:26

Thanks for all the help, i will give it a shot when i have time. In the mean time i have installed magisk and i have found this module: github.com/Magisk-Modules-Repo/dnscrypt-proxy. It does exactly what we are trying to accomplish right?

@Irfan Latif 2019-02-14 15:12:41

Yeah seems so, but I haven't given it a try.

[SOLVED] How to make SELinux injected rules persistent without unpacking-packing boot.img?

2019-07-22 11:20:07
Vatish Sharma
45 View
2 Score
1 Answer
Tags: root-access linux services selinux init.d

1 Answered Questions

Init.d script trouble shooting

2016-12-08 00:36:32
user199849
896 View
3 Score
1 Answer
Tags: root-access lg-g3 disable-app init.d

1 Answered Questions

Fix SELinux contexts for a SU binary

2017-05-22 14:00:45
nom
1284 View
0 Score
1 Answer
Tags: 6.0-marshmallow root-access selinux supersu

3 Answered Questions

[SOLVED] How can I run a custom .sh script at each startup (without native init.d support)?

2017-08-25 12:06:27
iBug
3934 View
0 Score
3 Answer
Tags: boot scripts init.d

1 Answered Questions

Init.d Script won't work to keep value

2017-11-07 17:28:31
user243084
136 View
0 Score
1 Answer
Tags: android-emulator init.d

1 Answered Questions

[SOLVED] How SElinux protects android from rooting

2015-08-23 09:00:38
DevUt
1259 View
2 Score
1 Answer
Tags: rooting root-access selinux

1 Answered Questions

[SOLVED] remove the script in init.d

2015-06-04 07:53:37
anindyo
5306 View
0 Score
1 Answer
Tags: init.d

1 Answered Questions

[SOLVED] Activating swap at boot with an init.d script?

2012-01-02 19:13:33
Liam W
13370 View
2 Score
1 Answer
Tags: swap init.d

[SOLVED] How to fix SELinux "avc: denied" errors when launching DNSCrypt as init.d script?

1 comments

@Irfan Latif 2019-02-10 18:31:48

SELINUX AND AVC DENIALS

SELINUX ON ANDROID

ROOTING AND SELINUX

HOW TO ADD CUSTOM INIT SERVICE TO ANDROID?

@beeshyams 2019-02-10 19:56:34

@wellsaid 2019-02-13 12:03:34

@Irfan Latif 2019-02-13 12:52:43

@wellsaid 2019-02-14 14:20:26

@Irfan Latif 2019-02-14 15:12:41

Related Questions

Sponsored Content

1 Answered Questions

[SOLVED] How to make SELinux injected rules persistent without unpacking-packing boot.img?

1 Answered Questions

Init.d script trouble shooting

1 Answered Questions

Fix SELinux contexts for a SU binary

3 Answered Questions

[SOLVED] How can I run a custom .sh script at each startup (without native init.d support)?

1 Answered Questions

Init.d Script won't work to keep value

1 Answered Questions

[SOLVED] How SElinux protects android from rooting

1 Answered Questions

[SOLVED] remove the script in init.d

1 Answered Questions

[SOLVED] Activating swap at boot with an init.d script?

Sponsored Content

Technology Thread

Language Thread

SCIENCE Thread

1 comments

@Irfan Latif 2019-02-10 18:31:48

SELINUX AND AVC DENIALS

SELINUX ON ANDROID

ROOTING AND SELINUX

HOW TO ADD CUSTOM INIT SERVICE TO ANDROID?

@beeshyams 2019-02-10 19:56:34

@wellsaid 2019-02-13 12:03:34

@Irfan Latif 2019-02-13 12:52:43

@wellsaid 2019-02-14 14:20:26

@Irfan Latif 2019-02-14 15:12:41

Related Questions

Sponsored Content

1 Answered Questions

1 Answered Questions

1 Answered Questions

3 Answered Questions

1 Answered Questions

1 Answered Questions

1 Answered Questions

1 Answered Questions

Sponsored Content