android audit2allow工具使用步骤

楼中望月

已于 2022-07-07 15:51:41 修改

阅读量8.3k

点赞数 1

分类专栏： android 文章标签： avc denied audit2allow selinux

于 2022-03-15 13:41:51 首次发布

本文链接：https://blog.csdn.net/jackone12347/article/details/123500552

版权

android 专栏收录该内容

12 篇文章 6 订阅

订阅专栏

dmesg里面经常会看到很多的avc denied的打印，如果有很多这种打印，那可以借助于android提供的audit2allow工具帮我们转换成allow语句。

使用步骤如下：
一、将dmesg中的相关avc denied的打印语句，复制到一个txt文件中，我这里取名为tee-supplicant.txt(因为我正在操作的进程是tee-supplicant)

avc: denied { read append } for comm="tee-supplicant" name="kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { read append } for comm="tee-supplicant" name="kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { syslog_read } for comm="tee-supplicant" scontext=u:r:tee-supplicant:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
avc: denied { syslog_read } for comm="tee-supplicant" scontext=u:r:tee-supplicant:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
avc: denied { getattr } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { getattr } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 ioctlcmd=0x5401 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 ioctlcmd=0x5401 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { read write } for comm="tee-supplicant" name="mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { read write } for comm="tee-supplicant" name="mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
cant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
context=u:object_r:block_device:s0 tclass=dir permissive=1
avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

二、把这个tee-supplicant.txt文件，放到android源码的路径android/external/selinux/prebuilts/bin目录下


android/external/selinux/prebuilts/bin$ ls
audit2allow  audit2why  avc.te  sediff  sediff.py  seinfo  seinfo.py  sesearch  sesearch.py  tee-supplicant.txt

三、执行如下命令

./audit2allow -i tee-supplicant.txt > avc.te

四、查看avc.te
默认打开发现是空的，有下面这么一句打印，提示需要执行source lunch

ANDROID_HOST_OUT not set. Have you run lunch?

执行一下source build/envsetup.sh lunch xxx后，再执行audit2allow 命令就可以了，自动生成的内容如下：

#============= tee-supplicant ==============
allow tee-supplicant block_device:blk_file { ioctl open read };
allow tee-supplicant block_device:dir search;
allow tee-supplicant device:chr_file { ioctl open read write };
allow tee-supplicant kernel:system syslog_read;
allow tee-supplicant kmsg_debug_device:chr_file { append getattr ioctl open read };
allow tee-supplicant self:capability sys_rawio;
allow tee-supplicant sysfs:file open;