Android P系统编译报错SELinux违反Neverallow

其他 2019-07-05 16:01:37 阅读次数: 0
版权声明: https://blog.csdn.net/Sunxiaolin2016/article/details/91435362

一、违反neverallow规则

在文章《Android P关于串口访问权限的问题》讲到了关于SELinux权限问题。

SeLinux的*.te文件路径:
p9.0.0.0\device\fsl\imx8q\sepolicy
p9.0.0.0\system\sepolicy

其中为了给串口增加权限,修改了一些*.te的权限配置文件,修改完之后系统编译报错。

报错信息如下:

FAILED: out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 		30 -o out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 31 of system/sepolicy/private/domain.te (or line 26746 of policy.conf) violated by allow system_app sysfs:file { read write create setattr open };
libsepol.report_failure: neverallow on line 507 of system/sepolicy/public/app.te (or line 8383 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

错误分析:system/sepolicy/private/domain.te和system/sepolicy/public/app.te违反了neverallows规则

解决办法:

1.修改system/sepolicy/private/domain.te文件中的:

  # /sys
  neverallow {
    coredomain
    -init
    -ueventd
    -vold
  } sysfs:file no_rw_file_perms;

修改为:

  # /sys
  neverallow {
    coredomain
    -init
    -ueventd
    -vold
    -appdomain		//排除appdomain
  } sysfs:file no_rw_file_perms;

绝对不允许app对sysfs:file进行文件读写操作,改为:可以允许app对sysfs:file进行文件读写操作。

2.修改修改system\sepolicy\public\app.te文件中的:

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
neverallow appdomain
    proc:dir_file_class_set write;

改为:

# Write to various pseudo file systems.
#neverallow { appdomain -bluetooth -nfc }
#    sysfs:dir_file_class_set write;
neverallow appdomain
    proc:dir_file_class_set write;

即注释掉neverallow { appdomain -bluetooth -nfc } sysfs:dir_file_class_set write;

解除Neverallow的限制。

二、system/sepolicy/prebuilts/api/28.0/private和system/sepolicy/private文件不一致

system/sepolicy/prebuilts/api/28.0/private和system/sepolicy/private下面的文件
system/sepolicy/prebuilts/api/28.0/public和system/sepolicy/public下面的文件,必须保持一致

否则会报错误:

[  0% 1/321] build out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test 
/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/28.0/public/app.te and system/sepolicy/public/app.te differ
[  2% 7/321] Merging KERNEL config
Using /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx/arch/arm64/configs/android_car_defconfig as base
Merging /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx
sed: read error on /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
cat: /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
make[1]: Entering directory `/home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/out/target/product/mek_8q/obj/KERNEL_OBJ'
  GEN     ./Makefile

/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/28.0/private/domain.te and system/sepolicy/private/domain.te differ
[  0% 2/315] build out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy:  policy configuration loaded
out/host/linux-x86/bin/checkpolicy:  writing CIL to out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[  1% 6/315] Merging KERNEL config
Using /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx/arch/arm64/configs/android_car_defconfig as base
Merging /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx
sed: read error on /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
cat: /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
make[1]: Entering directory `/home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/out/target/product/mek_8q/obj/KERNEL_OBJ'
  GEN     ./Makefile
scripts/kconfig/conf  --alldefconfig Kconfig

猜你喜欢

转载自blog.csdn.net/Sunxiaolin2016/article/details/91435362
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
周排行
循环神经网络(rnn)讲解
Tigao教程四:单独的关节运动
金蝶K3WISE15.0-注册套打教程
如何在Mac上配置Kubernetes
Android应用结束自身进程的方法
SpringMVC学习 十三 拦截器栈
中国驻洛杉矶总领馆举行新春招待会
HttpClient get post 发送
11 - three.js 笔记 - 绘制三维字体模型
Mysql递归获取某个父节点下面的所有子节点和子节点上的所有父节点
每日归档
更多
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022