原 Android SELinux Enforcing 模式下问题及解决

最新推荐文章于 2025-04-08 12:01:41 发布
最新推荐文章于 2025-04-08 12:01:41 发布
阅读量5.2k 收藏 1
点赞数
分类专栏: 工欲善其事必先利其器

平台:

RK3288 + android 5.11

修改selinux模式为enforcing (默认为 permissive) 
主要修改parameter:

FIRMWARE_VER:5.1.1
MACHINE_MODEL:rk3288
...
#private 6GB, System 512MB, Data 3GB, origin 512MB
CMDLINE:console=ttyFIQ0 androidboot.selinux=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00040000@0x00050000(cache),0x00002000@0x00090000(kpanic),0x00400000@0x00092000(system),0x00008000@0x00492000(metadata),0x00C00000@0x0049A000(private),0x0012C000@0x0109A000(origin),0x00600000@0x011C6000(userdata),0x00020000@0x017C6000(radical_update),-@0x017E6000(user)
  • 1
  • 2
  • 3
  • 4
  • 5

重点在:androidboot.selinux=enforcing

在系统启动后, 可以通过getenforce 查看是否设置成功

#adb shell getenforce
Enforcing
  • 1
  • 2

问题1:

自定义服务无法正常启动, 导致android 不停重启, LOG 如下:

01-02 02:17:00.313 I/ActivityManagerService( 3003): Start proc 3581:com.android.settings/1000 for broadcast com.android.settings/.HdmiReceiver
01-02 02:17:00.322 D/SystemControlerService( 3003): ALog onServiceConnected
01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:17:00.323 D/SystemControlerService( 3538): ALog android.net.wifi.WIFI_STATE_CHANGED
01-02 02:17:00.323 D/AndroidRuntime( 3003): Shutting down VM
01-02 02:17:00.323 E/AndroidRuntime( 3003): *** FATAL EXCEPTION IN SYSTEM PROCESS: main
01-02 02:17:00.323 E/AndroidRuntime( 3003): java.lang.SecurityException
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transactNative(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService.access$000(SystemControlerService.java:51)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService$1.onServiceConnected(SystemControlerService.java:80)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1208)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1225)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.handleCallback(Handler.java:739)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.dispatchMessage(Handler.java:95)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Looper.loop(Looper.java:135)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.run(SystemServer.java:274)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:17:00.328 E/ActivityManagerService( 3003): warning: could NOT find SYSTEMCTRL_SERVICE service
01-02 02:17:00.521 W/art     ( 3003): Long monitor contention event with owner method=boolean com.android.server.am.ActivityManagerService.unbindService(android.app.IServiceConnection) from ActivityManagerService.java:15763 waiters=0 for 192ms
01-02 02:17:00.522 E/AndroidRuntime( 3003): Error reporting crash
01-02 02:17:00.522 E/AndroidRuntime( 3003): java.lang.NullPointerException: Attempt to read from field 'android.content.pm.ApplicationInfo com.android.server.am.ProcessRecord.info' on a null object reference
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11969)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrash(ActivityManagerService.java:11945)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.internal.os.RuntimeInit$UncaughtHandler.uncaughtException(RuntimeInit.java:89)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:693)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:690)
01-02 02:17:00.522 I/Process ( 3003): Sending signal. PID: 3003 SIG: 9
01-02 02:17:00.587 I/ServiceManager(  171): service 'display' died
01-02 02:17:00.588 W/AudioFlinger( 2778): power manager service died !!!
01-02 02:17:00.590 E/WifiManager( 3108): Channel connection lost
01-02 02:17:00.591 D/SurfaceFlinger(  174): Set power mode=2, type=0 flinger=0xb7b91550
01-02 02:17:00.591 D/SurfaceFlinger(  174): Screen type=0 is already mode=2
01-02 02:17:00.599 I/ServiceManager(  171): service 'hardware' died
01-02 02:17:00.600 E/BufferQueueProducer(  174): [StatusBar] queueBuffer: BufferQueue has been abandoned
01-02 02:17:00.600 E/Surface ( 3108): queueBuffer: error queuing buffer to SurfaceTexture, -19
01-02 02:17:00.600 F/OpenGLRenderer( 3108): Encountered EGL error 12299 EGL_BAD_NATIVE_WINDOW during rendering
01-02 02:17:00.601 F/libc    ( 3108): Fatal signal 6 (SIGABRT), code -6 in tid 3526 (RenderThread)
01-02 02:17:00.603 I/ServiceManager(  171): service 'webviewupdate' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'consumer_ir' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'user' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'sensorservice' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'batterystats' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'appops' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'power' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'device_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input_method' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'clipboard' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'account' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'entropy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'vibrator' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'cpuinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'procstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'mount' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'telephony.registry' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'devicestoragemonitor' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'content' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'gfxinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'package' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'statusbar' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'meminfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'dbinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'permission' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'activity' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'servicediscovery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'wifip2p' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'usagestats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'textservices' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'scheduling_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'battery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'alarm' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'lock_settings' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'accessibility' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'window' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'bluetooth_manager' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_score' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netpolicy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_management' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'search' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'country_detector' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifiscanner' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifi' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'ethernet' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'location' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'rttmanager' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'connectivity' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'updatelock' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'notification' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dreams' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wallpaper' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dropbox' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'DockObserver' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_session' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'audio' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'usb' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'assetatlas' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'uimode' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'jobscheduler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'samplingprofiler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'voiceinteraction' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'appwidget' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'commontime_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'backup' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'serial' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'diskstats' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_router' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'display_device_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_projection' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'fingerprint' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'trust' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'restrictions' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'print' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'imms' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'launcherapps' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'telecom' died
01-02 02:17:00.702 E/DEBUG   (  189): Failed to find a valid tombstone, default to using tombstone 0.
01-02 02:17:00.702 E/DEBUG   (  189): failed to open tombstone file '/data/tombstones/tombstone_00': No such file or directory
01-02 02:17:00.702 I/DEBUG   (  189): Skipping tombstone write, nothing to do.
01-02 02:17:00.726 I/BootAnimation( 3601): boot_animation_process start, built at '18:49:46', on 'Sep 21 2017'.

再如:
01-02 02:25:23.372 I/SystemServiceManager(  495): Starting com.android.server.pppoe.PppoeService
01-02 02:25:23.373 I/PppoeServiceImpl(  495): Creating PppoeServiceImpl
01-02 02:25:23.375 I/PppoeService(  495): Registering service pppoe
01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 W/SystemServer(  495): ***********************************************
01-02 02:25:23.377 F/SystemServer(  495): BOOT FAILURE start PppoeService error 
01-02 02:25:23.377 F/SystemServer(  495): java.lang.RuntimeException: Failed to start service com.android.server.pppoe.PppoeService: onStart threw an exception
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:111)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:65)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.startOtherServices(SystemServer.java:709)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.run(SystemServer.java:261)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:25:23.377 F/SystemServer(  495): Caused by: java.lang.SecurityException
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transactNative(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.pppoe.PppoeService.onStart(PppoeService.java:40)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:109)
01-02 02:25:23.377 F/SystemServer(  495):   ... 8 more
01-02 02:25:23.377 I/SystemServer(  495): Connectivity Service
01-02 02:25:23.380 D/ConnectivityService(  495): ConnectivityService starting up
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161

关键看LOG:

01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED

01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
  • 1
  • 2
  • 3
  • 4
  • 5

————解决————–

$ git diff device/rockchip/common/sepolicy/service_contexts
diff --git a/device/rockchip/common/sepolicy/service_contexts b/device/rockchip/common/sepolicy/service_contexts
old mode 100644
new mode 100755
index 216f6b8..5cc9fd3
--- a/device/rockchip/common/sepolicy/service_contexts
+++ b/device/rockchip/common/sepolicy/service_contexts
@@ -2,3 +2,5 @@
 fmradioservice                u:object_r:radio_service:s0
 oemtelephony                  u:object_r:radio_service:s0
 msm.registry                  u:object_r:system_app_service:s0
+systemctrl                    u:object_r:system_server_service:s0
+pppoe                                            u:object_r:system_server_service:s0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

PS:

SELinux的相关的源码有两处: 
|–device/rockchip/common/sepolicy/ 
|–external/sepolicy/ 
编译及生效:

mmm external/sepolicy/ && ./mkimage.sh
  • 1

再通过工具烧录 boot.img 和 recovery.img(可选)

问题二:

文件访问权限无权限, 如读取文件夹, 查看文件信息, 无法创建文件, 无法写入等等. 
自定义private 分区, 目录为/private 
通常, 错误的LOG为:

 #type=1400 audit(0.0:64): avc: denied { search } for name="/" dev="sda1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
表明: system_server 无法访问 vfat 的 dir, 操作 search.
修改方法为, 在TE中加入:
+allow system_server vfat:dir {search};

 #type=1400 audit(0.0:8): avc: denied { execute } for path="/data/data/com.xxx/cache/slice-slice_9-classes.dex" dev="mmcblk0p14" ino=115000 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
+allow system_app system_app_data_file:file{ execute };
其它的问题修改类似.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

为system_app赋与读写权限:

diff --git a/device/rockchip/common/sepolicy/file.te b/device/rockchip/common/sepolicy/file.te
old mode 100644
new mode 100755
index 371e1dc..1cd6326
--- a/device/rockchip/common/sepolicy/file.te
+++ b/device/rockchip/common/sepolicy/file.te
@@ -26,10 +26,11 @@ type rpc_send_socket, file_type;
 type rpc_reg_socket, file_type;

 type metadata_file, file_type;
+type private_file, file_type;

diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
old mode 100644
new mode 100755
index fc55766..118ed6b
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -11,6 +11,9 @@
 # Bluetooth
 /dev/ttyBT(.*)                  u:object_r:tty_device:s0

 # logcat
 /system/bin/logcat              u:object_r:logcat_exec:s0

@@ -127,6 +130,7 @@
 /system/bin/akmd     u:object_r:akmd_exec:s0

 /metadata(/.*)?      u:object_r:metadata_file:s0
+/private(/.*)?      u:object_r:private_file:s0

+++ b/device/rockchip/common/sepolicy/system_app.te
@@ -18,6 +18,39 @@ allow system_app cache_file:file create_file_perms;
 allow system_app thermal_file:file rw_file_perms;
 allow system_app pekallfmrserver:binder { call transfer };
 allow system_app default_prop:property_service { set };
+#private
+allow system_app private_file:dir rw_dir_perms;
+allow system_app private_file:file execute;
+allow system_app private_file:file rw_file_perms;
+allow system_app private_file:dir { append create open write getattr setattr rename execute};
+allow system_app private_file:file { append unlink create open write getattr setattr rename execute};
+allow system_app toolbox_exec:file { read open getattr execute execute_no_trans};
+allow system_app su_exec:file { read open getattr execute execute_no_trans};
+
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45

如USB, 串口访问: 
为ttyACM 定义 
|–device/rockchip/common/sepolicy/file_contexts

# ACM
/dev/ttyACM[0-9]*               u:object_r:tty_device:s0
  • 1
  • 2

|–device/rockchip/common/sepolicy/system_app.te

+allow system_app usb_device:dir rw_dir_perms;
+allow system_app tty_device:dir rw_dir_perms;
+allow system_app usb_device:chr_file {lock open read write ioctl};
+allow system_app tty_device:chr_file {lock open read write ioctl};
  • 1
  • 2
  • 3
  • 4

问题3:

当加入某些权限与原本定义产生冲突时编译失败:

mmm external/sepolicy/

libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 1 neverallow failures occurred
libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
Error while expanding policy
make: *** [out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy] 错误 1
make: *** 正在等待未完成的任务....
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

关键看这一句:

neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf)
  • 1

直接去看下policy.conf文件里面写着什么: 
|–out/target/product/rk3288/obj/ETC/sepolicy_intermediates/policy.conf

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
  • 1
  • 2
  • 3

原因是我尝试在system_app.te中加入 system app对设备节点文件的读写操作:

allow system_app sysfs:file { read write getattr open };
//这里的定义会与|--external/sepolicy/app.te中的定义冲突:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
  • 1
  • 2
  • 3
  • 4
  • 5

解决: 
|–external/sepolicy/app.te

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
//改为:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app}
    sysfs:dir_file_class_set write;
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

有用的几个命令:

1.getenforce setenforce 
查看和设置模式 
2. ls -Z 文件 
查看文件的selinux权限 
3. ps -Z 

查看进程selinux 权限


I.SELinux文件类型确定

查看文件的安全上下文并做修改

1、到相关目录中去查看

root@Z00T:/cd system/bin/
root@Z00T:/ls -Z | grep demo
  • 1
  • 2
  • 3

PS:demo替换成所需查看的文件名 
一般情况下,由于没有设置demo的selinux权限,一般会默认它为文件系统中的文件 
demo u:object_r:system_file:s0

2、添加定义文件类型的策略文件 
1)添加所需的策略文件demo.te(这里demo以可执行程序为例) 
在device/qcom/sepolicy/common中,新建demo.te文件

type demo, domain;
type demo_exec, exec_type, file_type;
init_daemon_domain(demo)
  • 1
  • 2
  • 3
  • 4

定义了demo是domain(领域),demo_exec为可执行程序

2)对文件匹配进行设定 
在device/qcom/sepolicy/common/file_contexts中,加入匹配字段

/system/bin/demo u:object_r:demo_exec:s0
  • 1
  • 2

PS:上文中的demo均可替换成所需文件名

此时再进行第1步看是否生效,注意demo文件不能使用push进去的文件,以免file_context不识别。这时的kernel所报的log才是需要加权限的log

编译是否生效:查看out/target/product/<>/root/file_contexts文件及 out/target/product/<>/obj/ETC/file_contexts_intermediates/file_contexts文件

PS:如demo仅仅是资源文件,可以直接在file_context做匹配字段,在device/qcom/sepolicy/common/file.te上可以看到所有的文件类型 
demo u:object_r:system_file:s0 system_file换成所需文件类型即可

II.SELinux加入权限

根据内核log所报的错误权限信息,加入权限即可。

比如内核报这样的错:

# cat /dev/kmsg
[  172.554381] type=1400 audit(22611.739:4): avc:  denied  { getattr } for  pid=257 comm="demo" path="/system/rfs"             dev="mmcblk0p42" ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
[  173.287498] type=1400 audit(22612.479:5): avc:  denied  { relabelfrom } for  pid=257 comm="demo" name="rfs" dev="mmcblk0p42" ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
  • 1
  • 2
  • 3
  • 4

一般可以在comm下面看到domain的信息,知道我们所需要修改的te文件

在相应的te、文件中增加语句,语句格式为

allow sourcecontext targetcontext:class 许可 ;

例如

[ 172.554381] type=1400 audit(22611.739:4): avc: denied { getattr } for pid=257 comm=”update_binary” path=”/system/rfs” dev=”mmcblk0p42” ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0 

sourcecontext指的是“scontext=u:r:recovery:s0”的recovery,targetcontext 指的是“tcontext=u:object_r:rfs_system_file:s0 ” 中的rfs_system_file, class指的是“tclass=dir”中的dir,许可指的是“{}”中的getattr, 
所以增加语句

allow recovery rfs_system_file:dir getattr;

III.解决编译报错问题

访问block device超过权限问题

对block device访问时,会因为neverallow,导致编译不过,此时不可以去修改/external/sepolicy/domain.te文件,这样会使cts跑不过,因而给domain特定的block device访问权限。

可以在device/qcom/sepolicy/msm89xx/file_context定义相关block device,如果仍发现编译报错,报错原因是相关的block device没有定义,可以到/external/sepolicy/device.te做定义。然后再根据第II步所示,继续修改。

访问default property超过权限

有时会碰到访问default property的访问权限被neverallow,导致编译不过,同理不可修改domain.te,可以在device/qcom/sepolicy/common/property.te中 定义一类property

type demo_prop, property_type;
  • 1
  • 2

在device/qcom/sepolicy/common/property_context上匹配所需要访问的property

adb.on                     u:object_r:demo_prop:s0
  • 1
  • 2

然后再根据第II步所示,继续修改。

操作访问

当需要手动进行一定的操作的时候,可以 cat /dev/kmsg,看需要什么样的权限,然后找到特定的te文件,进行操作

如在mout某分区时

avc: denied { associate } for pid=4256 comm="mount" scontext=u:-Object_r:fac_file:S0 (file:S0) (file:S0 (file:S0)) tcontext=u:-Object_r:fac_file:S0 (file:S0) (file:S0 (file:S0)) tclass=filesystem permissive=0
  • 1
  • 2

说明mount没有相关的权限,可以在init.te中加入相关的权限。


Android SELinux——工作模式(二)
小旭的专栏
10-10 1215
SELinux 提供了三种不同的工作模式,每种模式都有其特定的目的和使用场景。这里我们就来介绍这三种模式的使用场景。
RK356X Android11.0 获取ROOT权限
kuosuoguang3325的博客
07-22 4692
Android11.0 获取ROOT权限 测试平台:RK356X Android11.0 修改步骤 需要编译userdebug版本 关闭selinux $ vim device/rockchip/common/BoardConfig.mk @@ -59,7 +59,7 @@ BOARD_BOOT_HEADER_VERSION ?= 2 BOARD_MKBOOTIMG_ARGS := BOARD_PREBUILT_DTBOIMAGE ?= $(TARGET_DEVICE_DIR)/d
linux必须运行在enforcing,Linux系统中SELinux的工作模式(Disabled、Permissive和Enforcing...
weixin_39853892的博客
05-01 391
通过对SElinux的介绍,初学者可以这样认为,在传统Linux系统使用访问控制方式的基础上,附加使用SELinux可增强系统安全。那么,SELinux是如何运行的呢?在解释 SELinux 的工作模式之前,先解释几个概念。主体(Subject):就是想要访问文件或目录资源的进程。想要得到资源,基本流程是这样的:由用户调用命令,由命令产生进程,由进程去访问文件或目录资源。在自主访问控制系统中(Li...
Android SELinux Enforcing 模式问题解决
ansondroider的博客
09-30 6543
平台:RK3288 + android 5.11修改selinux模式enforcing (默认为 permissive) 主要修改parameter:FIRMWARE_VER:5.1.1 MACHINE_MODEL:rk3288 ... #private 6GB, System 512MB, Data 3GB, origin 512MB CMDLINE:console=ttyFIQ0 andr
android 12】【权限】动态控制selinux开启和关闭
最新发布
zhangboyu1986的博客
04-08 193
1. 实现的思想:首先在一个独立分区内(如rk平台的vendor分区)写下一个标志位,用来标记产测模式和正常使用模式;其次,产测app在产测时,写入产测模式标志,且产测结束时,写入正常模式标志;然后,在设备的boot中,从独立分区里取出标志位,写入cmdline的环境变量;1. 设备在生产的时候,需要进行硬件测试,测试代码需要很多selinux权限,但是非测试环境下不能开启这些selinux权限,这就需要实现一种通过代码可以动态开关selinux权限的机制。2. boot端修改代码。
SElinux
weixin_50339832的博客
09-06 1756
SElinux selinux类型:Enforcing,Permissive, orDisabled Enforcing:既阻止用户的违规行为,同时对违规行为作日志记录 Permissive:不对违规行为作阻止,只记录日志 Disabled:SElinux不开启,不记录日志 配置文件 /etc/sysconfig/selinux(重启生效) /etc/s...
SElinux怎样设置Enforcing,Permissive,Disabled三种状态
2301_77695535的博客
08-20 869
未关闭时,getenforce查看SELinux状态为Enforcing。将SELINUX这一行替换为disabled,保存退出后则永久关闭。# getenforce查看状态变为Permissive。# setenforce 0(临时关闭,重启失效)注意,退出后重启生效。
Android系统10 RK3399 init进程启动(二十四) Selinux三种模式
ldswfun的专栏
05-18 2824
配套系列教学视频链接: 安卓系列教程之ROM系统开发-百问100ask 说明 系统:Android10.0 设备: FireFly RK3399 (ROC-RK3399-PC-PLUS) 前言 本章节介绍Selinux工作的三种模式,并知道如何切换三种模式。 一, Selinux三种模式介绍 selinux一般有三种模式, Disabled、Permissive 和 Enforcing,SEAndroid是基于SElinux, 所以也是一样有这三种模式。 1, Disab...
详解Android Selinux 权限及问题
01-20
由于现做的是MTK平台,源码路径基于MTK, 不过高通大同小异 ...SELinux 分为两种模式Android 5.0 后所有进程都使用 enforcing mode。 enforcing mode: 限制访问 permissive mode: 只审查权限,不限制 SELin
AndroidSELinux详解
achirandliu的专栏
06-07 1082
AndroidSELinux详解
Android SELinux安全机制详解及配置应用
12-02
还有一种模式是禁用模式(Disabled),在这种模式下,SELinux不会运行,系统将失去SELinux提供的额外安全防护。 通过getenforce和setenforce命令可以查看和更改当前SELinux的运行模式。例如,使用getenforce可以...
linux中SELINUX初识
Zachariah_Zh的博客
11-07 404
SELINUXSELINUX(安全增强型Linux)是可保护你系统安全性的额外机制在某种程度上,它可以被看作是与标准权限系统并行的权限系统。在常规模式中,以用户身份运行进程,并且系统上的文件和其他资源都设置了权限(控制哪些用户对哪些文件具有哪些访问权SELINUX的另一个不同之处在于,若要访问文件,你必须具有普通访问权限和SELINUX访问权限。因此,即使以超级用户身份root运行进程,根据进程以及
SELinux 宽容模式(permissive) 强制模式(enforcing) 关闭(disabled) 几种模式之间的转换...
weixin_30606461的博客
06-24 693
在CentOS6.2 中安装intel 的c++和fortran 的编译器时,遇到来一个关于SELinux的强制模式不可执行的情况, 需要关闭SELinux 或者 将enforcing改为 permissive 模式,查询来一些资料后,先对SELinux的几种模式,以及其之间的关系和转换方法做一小结,以备以后查看和学习。 SELinux 的启动、关闭与查看 1、并非所有的 Linux dis...
Attempt to read from field 'android.os.MessageQueue android.os.Looper.mQueue' on a null object refer
Kodulf的专栏
10-08 8423
//如果主线程使用了子线程的looper,那么就会报错 mHandler = new Handler(myThread.looper); Attempt to read from field 'android.os.MessageQueue android.os.Looper.mQueue' on a null object refer 2019-10-08 17:36:39.892 1269...
迅为iTOP3568开发板Android11获取root权限关闭selinux
mucheni的博客
11-21 773
迅为iTOP3568开发板Android11获取root权限关闭selinux
android 模拟crash_Android crash问题分析定位方法
weixin_39744240的博客
12-19 1292
Android APP在运行过程中如出现crash异常,会产生tombstone文件,存放在/data/tombstones目录下。思路之一:我们可以通过分析tombstone来定位问题因。crash异常日志如下:11-06 09:26:19.495 F/libc ( 993): Fatal signal 6 (SIGABRT), code -6 in tid 1046 (RenderT...
Android 系统添加SELinux权限
weixin_30536513的博客
07-14 1225
CPU:RK3288 系统:Android 5.1 SELinux 主要由美国国家安全局开发。2.6 及以上版本的 Linux 内核都已经集成了 SELinux 模块。 通过虚拟文件系统 proc 来读写 gpio 的方法非常受欢迎,不仅因为其省去了 hal 层、 jni 层的代码,而且可以直接通过 adb shell 来读写 gpio。 在 user 版本,虽然驱动代码中已经...
selinux状态获取过程
Android开发
06-01 1831
Android8.0为例 system/core/init/init.cpp static void selinux_initialize(bool in_kernel_domain) { bool kernel_enforcing = (security_getenforce() == 1); bool is_enforcing = selinux...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值