目前要在开机启动一个服务,但是通过log分析bin启动异常,分析如下:
1. 要新建对应的te文件,比如containerd.te
type containerd, coredomain, domain;
type containerd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(containerd)
2. 在需要权限的地方添加权限,比如在init.te中添加对应权限
allow init containerd_exec:file { open read getattr execute };
3. 在file_contexts中制定bin对应的权限
/system/bin/containerd u:object_r:containerd_exec:s0
在上述都ok情况下,还是报下面编译错误:
avc: denied { execute_no_trans } for comm="init" path="/system/bin/containerd" dev="dm-4" ino=1333 scontext=u:r:init:s0 tcontext=u:object_r:containerd_exec:s0 tclass=file permissive=0
1. 类型已经允许转换了,通过init_daemon_domain实现;
2. 排查启动service的地方,rc中发现其中的标签还是init,换成新建的lable即可,containerd
老的报错的:
service containerd /system/bin/containerd
class main
user root
group root
socket containerd stream 0660 root system
seclabel u:r:init:s0
新的:
service containerd /system/bin/containerd
class main
user root
group root
socket containerd stream 0660 root system
seclabel u:r:containerd:s0
另外由于基于socket通信,要新建containerd_socket类型,并且在file_contexts中添加
file.te: type containerd_socket, file_type, coredomain_socket;
file_contexts : /dev/socket/containerd u:object_r:containerd_socket:s0