1.添加完权限如何编译验证?
android 8.0及以后,android根目录下执行 make selinux_policy,会输出到
out/target/product/XXXX/system/etc/selinux 和 out/target/product/XXXX/vendor/etc/selinux
push上述两个目录的所有文件到system/etc/selinux和vendor/etc/selinux目录 重启手机即可。
//手动修改某个文件的conext
chcon -v u:object_r:netdiag_exec:s0 mydump
2.问题集锦
out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )" The following types on /system/ must be associated with the "system_file_type" attribute: verifyusb_exec
解决:
type verifyusb, domain;
type verifyusb_exec, system_file_type, exec_type, file_type;
init_daemon_domain(verifyusb)libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11682 of policy.conf) violated by
allow nds nds:packet_socket { ioctl };
解决:
allowxperm nds self:packet_socket ioctl {0x8994 0x8b07 0x8933 0x8927};
[ 4219.491901] .(2)[330:logd.auditd]type=1400 audit(1620457138.560:683): avc: denied { dac_override } for comm="sh" capability=1 scontext=u:r:nds:s0 tcontext=u:r:nds:s0 tclass=capability permissive=0
解决: chmod 700 /vendor/bin/nds
https://seandroid-list.tycho.nsa.narkive.com/UGqJAMld/about-dac-override-denial-on-logd
https://events.static.linuxfound.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf
neverallow check failed at out/target/product/antman_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4293
(neverallow base_typeattr_50_27_0 system_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
<root>
allow at out/target/product/antman_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:12022
(allow hal_wifi_supplicant_default system_data_file_27_0 (file (read write getattr open)))
解决: 一般是出问题的文件或者新的属性没有在 file_context property_context 配置selinux type, 导致用了默认的system 类型, 故比较高. 配置成允许的type即可.
3. on property trigger没反映
https://blog.csdn.net/u014175785/article/details/92992931
4.开关selinux
559
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
