版权声明: https://blog.csdn.net/Sunxiaolin2016/article/details/91435362
一、违反neverallow规则
在文章《Android P关于串口访问权限的问题》讲到了关于SELinux权限问题。
SeLinux的*.te文件路径:
p9.0.0.0\device\fsl\imx8q\sepolicy
p9.0.0.0\system\sepolicy
其中为了给串口增加权限,修改了一些*.te的权限配置文件,修改完之后系统编译报错。
报错信息如下:
FAILED: out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 31 of system/sepolicy/private/domain.te (or line 26746 of policy.conf) violated by allow system_app sysfs:file { read write create setattr open };
libsepol.report_failure: neverallow on line 507 of system/sepolicy/public/app.te (or line 8383 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
错误分析:system/sepolicy/private/domain.te和system/sepolicy/public/app.te违反了neverallows规则
解决办法:
1.修改system/sepolicy/private/domain.te文件中的:
# /sys
neverallow {
coredomain
-init
-ueventd
-vold
} sysfs:file no_rw_file_perms;
修改为:
# /sys
neverallow {
coredomain
-init
-ueventd
-vold
-appdomain //排除appdomain
} sysfs:file no_rw_file_perms;
绝对不允许app对sysfs:file进行文件读写操作,改为:可以允许app对sysfs:file进行文件读写操作。
2.修改修改system\sepolicy\public\app.te文件中的:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
sysfs:dir_file_class_set write;
neverallow appdomain
proc:dir_file_class_set write;
改为:
# Write to various pseudo file systems.
#neverallow { appdomain -bluetooth -nfc }
# sysfs:dir_file_class_set write;
neverallow appdomain
proc:dir_file_class_set write;
即注释掉neverallow { appdomain -bluetooth -nfc } sysfs:dir_file_class_set write;
解除Neverallow的限制。
二、system/sepolicy/prebuilts/api/28.0/private和system/sepolicy/private文件不一致
system/sepolicy/prebuilts/api/28.0/private和system/sepolicy/private下面的文件
system/sepolicy/prebuilts/api/28.0/public和system/sepolicy/public下面的文件,必须保持一致
否则会报错误:
[ 0% 1/321] build out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/28.0/public/app.te and system/sepolicy/public/app.te differ
[ 2% 7/321] Merging KERNEL config
Using /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx/arch/arm64/configs/android_car_defconfig as base
Merging /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx
sed: read error on /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
cat: /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
make[1]: Entering directory `/home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/out/target/product/mek_8q/obj/KERNEL_OBJ'
GEN ./Makefile
/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/28.0/private/domain.te and system/sepolicy/private/domain.te differ
[ 0% 2/315] build out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy: policy configuration loaded
out/host/linux-x86/bin/checkpolicy: writing CIL to out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[ 1% 6/315] Merging KERNEL config
Using /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx/arch/arm64/configs/android_car_defconfig as base
Merging /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx
sed: read error on /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
cat: /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
make[1]: Entering directory `/home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/out/target/product/mek_8q/obj/KERNEL_OBJ'
GEN ./Makefile
scripts/kconfig/conf --alldefconfig Kconfig