How is SEAndroid process domain given

Question

I've been looking on SEAndroid, and i've been trying to understand how is a process domain given.

So far what i got is that in the init.rc file, under some of the services declaration, there is a token called seclabel:

service adbd /sbin/adbd --root_seclabel=u:r:su:s0
    class core
    socket adbd stream 660 system system
    disabled
    seclabel u:r:adbd:s0

Which later in init.c is being set by setexeccon to the context that was written:

if (svc->seclabel) {
    if (is_selinux_enabled() > 0 && setexeccon(svc->seclabel) < 0) {
        ERROR("cannot setexeccon('%s'): %s\n", svc->seclabel, strerror(errno));
        _exit(127);
    }
}

In the example above the domain will be adbd.

But i didnt get to find what happens when there is no seclabel token in the service declaration. The thing that happens in init.c is that it will not call setexeccon, Meaning.. keep the parents domain?

A call to:

ps -Z

in adb shell, which shows all the processes and their domains, shows otherwise.

For example, the servicemanager in init.rc:
    class core
    user system
    group system
    critical
    onrestart restart healthd
    onrestart restart zygote
    onrestart restart media
    onrestart restart surfaceflinger
    onrestart restart drm

but call to ps -Z shows:

u:r:servicemanager:s0          system    53    1     /system/bin/servicemanager

Whats going on?!

Answer 1

Ok, i looked at the code and finally got the answer!

The file: /external/sepolicy/seapp_contexts found on the root file system in the android image includes the following content:

isSystemServer=true domain=system_server
user=system domain=system_app type=system_app_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user

This defines the security settings (outputs) for each process according to some inputs. We can see in this example in the first line:

If its the system server, its domain will be system_server

Or in the last line:

The _app keyword stands for every app which doesn't have a rule associated to it. So by default, applications domain will be untrusted_app and the files belongs to it label will be app_data_file.

More documentation on the syntax of the file is found inside the file.