Android SELinux Enforcing 模式下问题及解决

其他 2018-09-05 10:11:25 阅读次数: 0

平台:

RK3288 + android 5.11

修改selinux模式为enforcing (默认为 permissive)
主要修改parameter:

FIRMWARE_VER:5.1.1
MACHINE_MODEL:rk3288
...
#private 6GB, System 512MB, Data 3GB, origin 512MB
CMDLINE:console=ttyFIQ0 androidboot.selinux=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00040000@0x00050000(cache),0x00002000@0x00090000(kpanic),0x00400000@0x00092000(system),0x00008000@0x00492000(metadata),0x00C00000@0x0049A000(private),0x0012C000@0x0109A000(origin),0x00600000@0x011C6000(userdata),0x00020000@0x017C6000(radical_update),-@0x017E6000(user)

重点在:androidboot.selinux=enforcing

在系统启动后, 可以通过getenforce 查看是否设置成功

#adb shell getenforce
Enforcing

问题1:

自定义服务无法正常启动, 导致android 不停重启, LOG 如下:

01-02 02:17:00.313 I/ActivityManagerService( 3003): Start proc 3581:com.android.settings/1000 for broadcast com.android.settings/.HdmiReceiver
01-02 02:17:00.322 D/SystemControlerService( 3003): ALog onServiceConnected
01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:17:00.323 D/SystemControlerService( 3538): ALog android.net.wifi.WIFI_STATE_CHANGED
01-02 02:17:00.323 D/AndroidRuntime( 3003): Shutting down VM
01-02 02:17:00.323 E/AndroidRuntime( 3003): *** FATAL EXCEPTION IN SYSTEM PROCESS: main
01-02 02:17:00.323 E/AndroidRuntime( 3003): java.lang.SecurityException
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transactNative(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService.access$000(SystemControlerService.java:51)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService$1.onServiceConnected(SystemControlerService.java:80)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1208)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1225)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.handleCallback(Handler.java:739)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.dispatchMessage(Handler.java:95)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Looper.loop(Looper.java:135)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.run(SystemServer.java:274)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:17:00.328 E/ActivityManagerService( 3003): warning: could NOT find SYSTEMCTRL_SERVICE service
01-02 02:17:00.521 W/art     ( 3003): Long monitor contention event with owner method=boolean com.android.server.am.ActivityManagerService.unbindService(android.app.IServiceConnection) from ActivityManagerService.java:15763 waiters=0 for 192ms
01-02 02:17:00.522 E/AndroidRuntime( 3003): Error reporting crash
01-02 02:17:00.522 E/AndroidRuntime( 3003): java.lang.NullPointerException: Attempt to read from field 'android.content.pm.ApplicationInfo com.android.server.am.ProcessRecord.info' on a null object reference
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11969)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrash(ActivityManagerService.java:11945)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.internal.os.RuntimeInit$UncaughtHandler.uncaughtException(RuntimeInit.java:89)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:693)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:690)
01-02 02:17:00.522 I/Process ( 3003): Sending signal. PID: 3003 SIG: 9
01-02 02:17:00.587 I/ServiceManager(  171): service 'display' died
01-02 02:17:00.588 W/AudioFlinger( 2778): power manager service died !!!
01-02 02:17:00.590 E/WifiManager( 3108): Channel connection lost
01-02 02:17:00.591 D/SurfaceFlinger(  174): Set power mode=2, type=0 flinger=0xb7b91550
01-02 02:17:00.591 D/SurfaceFlinger(  174): Screen type=0 is already mode=2
01-02 02:17:00.599 I/ServiceManager(  171): service 'hardware' died
01-02 02:17:00.600 E/BufferQueueProducer(  174): [StatusBar] queueBuffer: BufferQueue has been abandoned
01-02 02:17:00.600 E/Surface ( 3108): queueBuffer: error queuing buffer to SurfaceTexture, -19
01-02 02:17:00.600 F/OpenGLRenderer( 3108): Encountered EGL error 12299 EGL_BAD_NATIVE_WINDOW during rendering
01-02 02:17:00.601 F/libc    ( 3108): Fatal signal 6 (SIGABRT), code -6 in tid 3526 (RenderThread)
01-02 02:17:00.603 I/ServiceManager(  171): service 'webviewupdate' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'consumer_ir' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'user' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'sensorservice' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'batterystats' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'appops' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'power' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'device_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input_method' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'clipboard' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'account' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'entropy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'vibrator' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'cpuinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'procstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'mount' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'telephony.registry' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'devicestoragemonitor' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'content' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'gfxinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'package' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'statusbar' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'meminfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'dbinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'permission' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'activity' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'servicediscovery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'wifip2p' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'usagestats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'textservices' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'scheduling_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'battery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'alarm' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'lock_settings' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'accessibility' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'window' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'bluetooth_manager' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_score' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netpolicy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_management' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'search' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'country_detector' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifiscanner' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifi' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'ethernet' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'location' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'rttmanager' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'connectivity' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'updatelock' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'notification' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dreams' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wallpaper' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dropbox' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'DockObserver' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_session' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'audio' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'usb' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'assetatlas' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'uimode' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'jobscheduler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'samplingprofiler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'voiceinteraction' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'appwidget' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'commontime_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'backup' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'serial' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'diskstats' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_router' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'display_device_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_projection' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'fingerprint' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'trust' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'restrictions' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'print' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'imms' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'launcherapps' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'telecom' died
01-02 02:17:00.702 E/DEBUG   (  189): Failed to find a valid tombstone, default to using tombstone 0.
01-02 02:17:00.702 E/DEBUG   (  189): failed to open tombstone file '/data/tombstones/tombstone_00': No such file or directory
01-02 02:17:00.702 I/DEBUG   (  189): Skipping tombstone write, nothing to do.
01-02 02:17:00.726 I/BootAnimation( 3601): boot_animation_process start, built at '18:49:46', on 'Sep 21 2017'.

再如:
01-02 02:25:23.372 I/SystemServiceManager(  495): Starting com.android.server.pppoe.PppoeService
01-02 02:25:23.373 I/PppoeServiceImpl(  495): Creating PppoeServiceImpl
01-02 02:25:23.375 I/PppoeService(  495): Registering service pppoe
01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 W/SystemServer(  495): ***********************************************
01-02 02:25:23.377 F/SystemServer(  495): BOOT FAILURE start PppoeService error 
01-02 02:25:23.377 F/SystemServer(  495): java.lang.RuntimeException: Failed to start service com.android.server.pppoe.PppoeService: onStart threw an exception
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:111)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:65)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.startOtherServices(SystemServer.java:709)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.run(SystemServer.java:261)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:25:23.377 F/SystemServer(  495): Caused by: java.lang.SecurityException
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transactNative(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.pppoe.PppoeService.onStart(PppoeService.java:40)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:109)
01-02 02:25:23.377 F/SystemServer(  495):   ... 8 more
01-02 02:25:23.377 I/SystemServer(  495): Connectivity Service
01-02 02:25:23.380 D/ConnectivityService(  495): ConnectivityService starting up

关键看LOG:

01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED

01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED

————解决————–

$ git diff device/rockchip/common/sepolicy/service_contexts
diff --git a/device/rockchip/common/sepolicy/service_contexts b/device/rockchip/common/sepolicy/service_contexts
old mode 100644
new mode 100755
index 216f6b8..5cc9fd3
--- a/device/rockchip/common/sepolicy/service_contexts
+++ b/device/rockchip/common/sepolicy/service_contexts
@@ -2,3 +2,5 @@
 fmradioservice                u:object_r:radio_service:s0
 oemtelephony                  u:object_r:radio_service:s0
 msm.registry                  u:object_r:system_app_service:s0
+systemctrl                    u:object_r:system_server_service:s0
+pppoe                                            u:object_r:system_server_service:s0

PS:

SELinux的相关的源码有两处:
|–device/rockchip/common/sepolicy/
|–external/sepolicy/
编译及生效:

mmm external/sepolicy/ && ./mkimage.sh

再通过工具烧录 boot.img 和 recovery.img(可选)

问题二:

文件访问权限无权限, 如读取文件夹, 查看文件信息, 无法创建文件, 无法写入等等.
自定义private 分区, 目录为/private
通常, 错误的LOG为:

 #type=1400 audit(0.0:64): avc: denied { search } for name="/" dev="sda1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
表明: system_server 无法访问 vfat 的 dir, 操作 search.
修改方法为, 在TE中加入:
+allow system_server vfat:dir {search};

 #type=1400 audit(0.0:8): avc: denied { execute } for path="/data/data/com.xxx/cache/slice-slice_9-classes.dex" dev="mmcblk0p14" ino=115000 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
+allow system_app system_app_data_file:file{ execute };
其它的问题修改类似.

为system_app赋与读写权限:

diff --git a/device/rockchip/common/sepolicy/file.te b/device/rockchip/common/sepolicy/file.te
old mode 100644
new mode 100755
index 371e1dc..1cd6326
--- a/device/rockchip/common/sepolicy/file.te
+++ b/device/rockchip/common/sepolicy/file.te
@@ -26,10 +26,11 @@ type rpc_send_socket, file_type;
 type rpc_reg_socket, file_type;

 type metadata_file, file_type;
+type private_file, file_type;

diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
old mode 100644
new mode 100755
index fc55766..118ed6b
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -11,6 +11,9 @@
 # Bluetooth
 /dev/ttyBT(.*)                  u:object_r:tty_device:s0

 # logcat
 /system/bin/logcat              u:object_r:logcat_exec:s0

@@ -127,6 +130,7 @@
 /system/bin/akmd     u:object_r:akmd_exec:s0

 /metadata(/.*)?      u:object_r:metadata_file:s0
+/private(/.*)?      u:object_r:private_file:s0

+++ b/device/rockchip/common/sepolicy/system_app.te
@@ -18,6 +18,39 @@ allow system_app cache_file:file create_file_perms;
 allow system_app thermal_file:file rw_file_perms;
 allow system_app pekallfmrserver:binder { call transfer };
 allow system_app default_prop:property_service { set };
+#private
+allow system_app private_file:dir rw_dir_perms;
+allow system_app private_file:file execute;
+allow system_app private_file:file rw_file_perms;
+allow system_app private_file:dir { append create open write getattr setattr rename execute};
+allow system_app private_file:file { append unlink create open write getattr setattr rename execute};
+allow system_app toolbox_exec:file { read open getattr execute execute_no_trans};
+allow system_app su_exec:file { read open getattr execute execute_no_trans};
+

如USB, 串口访问:
为ttyACM 定义
|–device/rockchip/common/sepolicy/file_contexts

# ACM
/dev/ttyACM[0-9]*               u:object_r:tty_device:s0

|–device/rockchip/common/sepolicy/system_app.te

+allow system_app usb_device:dir rw_dir_perms;
+allow system_app tty_device:dir rw_dir_perms;
+allow system_app usb_device:chr_file {lock open read write ioctl};
+allow system_app tty_device:chr_file {lock open read write ioctl};

问题3:

当加入某些权限与原本定义产生冲突时编译失败:

mmm external/sepolicy/

libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 1 neverallow failures occurred
libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
Error while expanding policy
make: *** [out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy] 错误 1
make: *** 正在等待未完成的任务....
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

关键看这一句:

neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf)

直接去看下policy.conf文件里面写着什么:
|–out/target/product/rk3288/obj/ETC/sepolicy_intermediates/policy.conf

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

原因是我尝试在system_app.te中加入 system app对设备节点文件的读写操作:

allow system_app sysfs:file { read write getattr open };
//这里的定义会与|--external/sepolicy/app.te中的定义冲突:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;

解决:
|–external/sepolicy/app.te

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
//改为:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app}
    sysfs:dir_file_class_set write;

有用的几个命令:

1.getenforce setenforce
查看和设置模式
2. ls -Z 文件
查看文件的selinux权限
3. ps -Z
查看进程selinux 权限

相关资料:
http://blog.csdn.net/innost/article/details/19299937/ (受益颇多)
https://stackoverflow.com/questions/30165852/selinux-permission-denied-for-a-new-framework-service-in-android (虽然没用上)
https://www.2cto.com/kf/201504/390742.html (了解)

猜你喜欢

转载自blog.csdn.net/ansondroider/article/details/78143971
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
周排行
Python环境安装与基础语法(1)——计算机基础知识
IMU预积分
ADAS中的LDW、FCW、BSD、LCA、ACC、AEB、APA、DMS代表的含义
B站笔试两道题
skyeye arm 硬件虚拟机环境的搭建
Web前端静态页面示例
数组-合并排序数组 II-简单
springcloud之版本问题启动报错
面向对象-------------匿名对象(六)
输入URL到页面呈现中间发生了什么?
每日归档
更多
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022