AVC 报错问题示例以及解决方案
1. AVC报错实例:
Line 4832: 12-28 10:33:21.680000 1726 1726 I rild : type=1400 audit(0.0:59): avc: denied { execute } for name="pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
Line 4833: 12-28 10:33:21.680000 1726 1726 I rild : type=1400 audit(0.0:60): avc: denied { read open } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
Line 4834: 12-28 10:33:21.680000 1726 1726 I rild : type=1400 audit(0.0:61): avc: denied { execute_no_trans } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
Line 4835: 12-28 10:33:21.690000 1726 1726 I pppd : type=1400 audit(0.0:62): avc: denied { getattr } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
Line 4835: 12-28 10:33:21.690000 1726 1726 I pppd : type=1400 audit(0.0:62): avc: denied { getattr } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
Line 4838: 12-28 10:33:21.700988 1726 1726 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 4839: 12-28 10:33:21.701056 1726 1726 E pppd : Sorry - this system lacks PPP kernel support
Line 4889: 12-28 10:33:58.118905 1734 1734 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 4890: 12-28 10:33:58.119129 1734 1734 E pppd : Sorry - this system lacks PPP kernel support
Line 4923: 12-28 10:34:01.373867 1735 1735 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 4924: 12-28 10:34:01.374034 1735 1735 E pppd : Sorry - this system lacks PPP kernel support
Line 4925: 12-28 10:34:04.626659 1736 1736 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 4926: 12-28 10:34:04.626895 1736 1736 E pppd : Sorry - this system lacks PPP kernel support
Line 4927: 12-28 10:34:07.936232 1737 1737 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 4928: 12-28 10:34:07.936401 1737 1737 E pppd : Sorry - this system lacks PPP kernel support
Line 9884: 12-28 10:34:44.255467 1793 1793 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 9885: 12-28 10:34:44.255550 1793 1793 E pppd : Sorry - this system lacks PPP kernel support
Line 9886: 12-28 10:34:44.250000 1793 1793 I pppd : type=1400 audit(0.0:64): avc: denied { read write } for name="ppp" dev="tmpfs" ino=9126 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_device:s0 tclass=chr_file permissive=1
Line 9887: 12-28 10:34:44.250000 1793 1793 I pppd : type=1400 audit(0.0:65): avc: denied { open } for path="/dev/ppp" dev="tmpfs" ino=9126 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_device:s0 tclass=chr_file permissive=1
Line 10713: 12-28 10:34:47.502166 1794 1794 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 10714: 12-28 10:34:47.502406 1794 1794 E pppd : Sorry - this system lacks PPP kernel support
Line 11286: 12-28 10:34:50.770849 1807 1807 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
Line 11287: 12-28 10:34:50.771091 1807 1807 E pppd : Sorry - this system lacks PPP kernel support
Line 11739: 12-28 10:34:54.087086 1809 1809 E pppd : Couldn't open the /dev/ppp device: Operation not permitted
2.如何消除这样的不通过
上处avc不通过,可以在/external/sepolicy/ 目录下,新建一个test.te
在test.te 中写入,allow rmt kmem_device:chr_file {read write},
重新编译策略语言,刷机即可;
但是当avc很多时,人工去看容易出错且慢,我们可以使用工具来完成这项工作;
selinux/policycoreutils/audit2allow环境搭建:
测试电脑的配置是:unbutu 12.04
step 1:在 ubuntu中安装policycoreutils
sudo apt-get install policycoreutils
step 2 : 使用audit2allow 工具完成策略语言:
audit2allow -i filename
例如上诉avc语句就会输出:
#============= mobile_log_d ==============
allow mobile_log_d mtk_em_ril_apnchange_prop:file { getattr open };
allow mobile_log_d sys_rpmb_ready_prop:file { getattr open };
#============= rild ==============
allow rild system_data_file:file write;
#============= untrusted_app ==============
allow untrusted_app anr_data_file:dir read;
allow untrusted_app debugfs:dir { read open };
allow untrusted_app debugfs:file { read getattr open };
allow untrusted_app device_logging_prop:file { getattr open };
allow untrusted_app mmc_prop:file { getattr open };
allow untrusted_app mtk_em_ril_apnchange_prop:file { getattr open };
allow untrusted_app safemode_prop:file { getattr open };
allow untrusted_app sys_rpmb_ready_prop:file { getattr open };
allow untrusted_app sysfs:file { read getattr open };
把生成的语言添加到对应的 te文件中,重新编译验证。