Add execmem SELinux rule for system_server

[JingMatrix]

In commit 3d11c2f, the rule execmem is removed without explanation, possibly because that it is by default allowed for nearly all devices.

However, from user bug report, this rule is missing on Realme X7 Max 5G (realme/RMX3031/RMX3031L1:13/TP1A.220905.001/R.ead5d5-5fba), causing the function shouldSkipSystemServer in ConfigManager.java returning true.

We add it back to support our IPC bridge injection into system_server.

[JingMatrix]

@xCaptaiN09, please test the latest CI to see if your issue is fixed: https://github.com/JingMatrix/LSPosed/actions/runs/22826955140

[JingMatrix]

@xCaptaiN09, if it is still not work, you should change your root solution (KenerlSU). The sepolicy tools of your root is not working.

[xCaptaiN09]

@xCaptaiN09, if it is still not work, you should change your root solution (KenerlSU). The sepolicy tools of your root is not working.

Okay.. I will try to change root solution then ..

Here is logs
tested latest CI, but still crashing

avc: denied { read } for comm="main" dev="nsfs" scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0

USER_NS is disabled on my kernel btw.
Previous crash was lsplant SIGSEGV, this one is new.

lspd.zip
KernelSU_bugreport_2026-03-09_02_44.tar.gz

[JingMatrix]

@xCaptaiN09 The reason of crahsing doesn't change. You should use the official KernelSU. There is no reason to blindly trust some variants without understanding it at all. Be cautious and responsible for your choice.

Curcial logs:

[LogWatchDog running] log.tag: ; logd.[default, crash, main, system].size: [131072,131072,131072,131072]
[ 2026-03-09T02:43:17.091        0:  1512:  1512 E/SELinux         ] avc:  denied  { execute } for  scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0
[ 2026-03-09T02:43:17.091        0:  1512:  1512 E/SELinux         ] avc:  denied  { execute_no_trans } for  scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0
[ 2026-03-09T02:43:17.097        0:  1512:  1822 I/LSPosedDex2Oat  ] Dex2oat wrapper daemon start
[ 2026-03-09T02:43:17.097        0:  1512:  1822 E/SELinux         ] avc:  denied  { execute_no_trans } for  scontext=u:r:dex2oat:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0
[ 2026-03-09T02:43:17.120        0:  1512:  1512 I/LSPosedService  ] service package is not started, wait 1s.
[ 2026-03-09T02:43:18.092        0:  1941:  1941 I/VectorNative    ] System server process detected. Marking for injection.
[ 2026-03-09T02:43:18.121        0:  1512:  1512 I/LSPosedService  ] service package is not started, wait 1s.
[ 2026-03-09T02:43:18.303     1000:  1941:  1941 I/VectorNative    ] Got system server binder on attempt 1.
[ 2026-03-09T02:43:18.306        0:  1512:  1819 E/SELinux         ] avc:  denied  { execmem } for  scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process permissive=0
[ 2026-03-09T02:43:18.306        0:  1512:  1819 E/LSPosedService  ] skip injecting into android because sepolicy was not loaded properly
[ 2026-03-09T02:43:18.321     1000:  1941:  1941 I/VectorNative    ] IPC Bridge JNI hook installed successfully.
[ 2026-03-09T02:43:18.362     1000:  1941:  1941 F/libc            ] Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7a6fca2000 in tid 1941 (system_server), pid 1941 (system_server)

[xCaptaiN09]

@xCaptaiN09 The reason of crahsing doesn't change. You should use the official KernelSU. There is no reason to blindly trust some variants without understanding it at all. Be cautious and responsible for your choice.

Curcial logs:

[LogWatchDog running] log.tag: ; logd.[default, crash, main, system].size: [131072,131072,131072,131072]
[ 2026-03-09T02:43:17.091        0:  1512:  1512 E/SELinux         ] avc:  denied  { execute } for  scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0
[ 2026-03-09T02:43:17.091        0:  1512:  1512 E/SELinux         ] avc:  denied  { execute_no_trans } for  scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0
[ 2026-03-09T02:43:17.097        0:  1512:  1822 I/LSPosedDex2Oat  ] Dex2oat wrapper daemon start
[ 2026-03-09T02:43:17.097        0:  1512:  1822 E/SELinux         ] avc:  denied  { execute_no_trans } for  scontext=u:r:dex2oat:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0
[ 2026-03-09T02:43:17.120        0:  1512:  1512 I/LSPosedService  ] service package is not started, wait 1s.
[ 2026-03-09T02:43:18.092        0:  1941:  1941 I/VectorNative    ] System server process detected. Marking for injection.
[ 2026-03-09T02:43:18.121        0:  1512:  1512 I/LSPosedService  ] service package is not started, wait 1s.
[ 2026-03-09T02:43:18.303     1000:  1941:  1941 I/VectorNative    ] Got system server binder on attempt 1.
[ 2026-03-09T02:43:18.306        0:  1512:  1819 E/SELinux         ] avc:  denied  { execmem } for  scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process permissive=0
[ 2026-03-09T02:43:18.306        0:  1512:  1819 E/LSPosedService  ] skip injecting into android because sepolicy was not loaded properly
[ 2026-03-09T02:43:18.321     1000:  1941:  1941 I/VectorNative    ] IPC Bridge JNI hook installed successfully.
[ 2026-03-09T02:43:18.362     1000:  1941:  1941 F/libc            ] Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7a6fca2000 in tid 1941 (system_server), pid 1941 (system_server)

fixed the execmem issue, but still crashing... I checked more deeper and looks like lsplant is trying to write to a sealed ART JIT page. android 16 seals those with F_SEAL_WRITE so the write fails. is this a lsplant limitation on android 16 W^X or am i missing something....??

[JingMatrix]

@xCaptaiN09 Upload your logs, and provide information how you fixed the execmem issue.

[xCaptaiN09]

@xCaptaiN09 Upload your logs, and provide information how you fixed the execmem issue.

fixed execmem by making a separate module that runs ksud sepolicy apply on all module sepolicy rules at boot...
KernelSU_bugreport_2026-03-09_04_27.tar.gz
post-fs-data.sh
since SukiSU doesn't do it automatically. execmem denial is gone now but SIGSEGV still happens.

[JingMatrix]

Please upload LSPosed logs as before.
From your logs, you claimed is not true, the sepolicy is not applied.

[xCaptaiN09]

Please upload LSPosed logs as before. From your logs, you claimed is not true, the sepolicy is not applied.

lspd.zip
KernelSU_bugreport_2026-03-09_10_03.tar.gz

Actually what's the problem, who can fix?. Is it kernel side problem or lsposed or zygisk or Android side?

[Dev4Mod]

[ 2026-03-09T10:02:31.311     1000:  1973:  1973 I/VectorNative    ] Got system server binder on attempt 1.
[ 2026-03-09T10:02:31.312        0:  1578:  1865 E/SELinux         ] avc:  denied  { execmem } for  scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process permissive=0
[ 2026-03-09T10:02:31.312        0:  1578:  1865 E/LSPosedService  ] skip injecting into android because sepolicy was not loaded properly

SELinux continues to deny access to execmem if you are using the build that JingMatrix asked you to download and this error is still occurring.It's most likely a problem with your SukiSU root manager.Does the release version work for you?

[JingMatrix]

@xCaptaiN09 It is the problem of your root solution, you can fix it by abandon SukiSU and use other alternatives.

[xCaptaiN09]

@xCaptaiN09 It is the problem of your root solution, you can fix it by abandon SukiSU and use other alternatives.

Thankyou,
Our kernel is Linux 4.19.325 legacy.
So which is best for that now.. kernelsu next? Or official ksu or any other. Any suggestions

[JingMatrix]

@xCaptaiN09 I'd thus suggest you to try all variants you found and report this issue to them actively.