原 Android SELinux Enforcing 模式下问题及解决

平台:

RK3288 + android 5.11

修改selinux模式为enforcing (默认为 permissive) 
主要修改parameter:

FIRMWARE_VER:5.1.1
MACHINE_MODEL:rk3288
...
#private 6GB, System 512MB, Data 3GB, origin 512MB
CMDLINE:console=ttyFIQ0 androidboot.selinux=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00040000@0x00050000(cache),0x00002000@0x00090000(kpanic),0x00400000@0x00092000(system),0x00008000@0x00492000(metadata),0x00C00000@0x0049A000(private),0x0012C000@0x0109A000(origin),0x00600000@0x011C6000(userdata),0x00020000@0x017C6000(radical_update),-@0x017E6000(user)
  • 1
  • 2
  • 3
  • 4
  • 5

重点在:androidboot.selinux=enforcing

在系统启动后, 可以通过getenforce 查看是否设置成功

#adb shell getenforce
Enforcing
  • 1
  • 2

问题1:

自定义服务无法正常启动, 导致android 不停重启, LOG 如下:

01-02 02:17:00.313 I/ActivityManagerService( 3003): Start proc 3581:com.android.settings/1000 for broadcast com.android.settings/.HdmiReceiver
01-02 02:17:00.322 D/SystemControlerService( 3003): ALog onServiceConnected
01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:17:00.323 D/SystemControlerService( 3538): ALog android.net.wifi.WIFI_STATE_CHANGED
01-02 02:17:00.323 D/AndroidRuntime( 3003): Shutting down VM
01-02 02:17:00.323 E/AndroidRuntime( 3003): *** FATAL EXCEPTION IN SYSTEM PROCESS: main
01-02 02:17:00.323 E/AndroidRuntime( 3003): java.lang.SecurityException
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transactNative(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService.access$000(SystemControlerService.java:51)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService$1.onServiceConnected(SystemControlerService.java:80)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1208)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1225)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.handleCallback(Handler.java:739)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.dispatchMessage(Handler.java:95)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Looper.loop(Looper.java:135)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.run(SystemServer.java:274)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:17:00.328 E/ActivityManagerService( 3003): warning: could NOT find SYSTEMCTRL_SERVICE service
01-02 02:17:00.521 W/art     ( 3003): Long monitor contention event with owner method=boolean com.android.server.am.ActivityManagerService.unbindService(android.app.IServiceConnection) from ActivityManagerService.java:15763 waiters=0 for 192ms
01-02 02:17:00.522 E/AndroidRuntime( 3003): Error reporting crash
01-02 02:17:00.522 E/AndroidRuntime( 3003): java.lang.NullPointerException: Attempt to read from field 'android.content.pm.ApplicationInfo com.android.server.am.ProcessRecord.info' on a null object reference
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11969)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrash(ActivityManagerService.java:11945)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.internal.os.RuntimeInit$UncaughtHandler.uncaughtException(RuntimeInit.java:89)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:693)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:690)
01-02 02:17:00.522 I/Process ( 3003): Sending signal. PID: 3003 SIG: 9
01-02 02:17:00.587 I/ServiceManager(  171): service 'display' died
01-02 02:17:00.588 W/AudioFlinger( 2778): power manager service died !!!
01-02 02:17:00.590 E/WifiManager( 3108): Channel connection lost
01-02 02:17:00.591 D/SurfaceFlinger(  174): Set power mode=2, type=0 flinger=0xb7b91550
01-02 02:17:00.591 D/SurfaceFlinger(  174): Screen type=0 is already mode=2
01-02 02:17:00.599 I/ServiceManager(  171): service 'hardware' died
01-02 02:17:00.600 E/BufferQueueProducer(  174): [StatusBar] queueBuffer: BufferQueue has been abandoned
01-02 02:17:00.600 E/Surface ( 3108): queueBuffer: error queuing buffer to SurfaceTexture, -19
01-02 02:17:00.600 F/OpenGLRenderer( 3108): Encountered EGL error 12299 EGL_BAD_NATIVE_WINDOW during rendering
01-02 02:17:00.601 F/libc    ( 3108): Fatal signal 6 (SIGABRT), code -6 in tid 3526 (RenderThread)
01-02 02:17:00.603 I/ServiceManager(  171): service 'webviewupdate' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'consumer_ir' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'user' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'sensorservice' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'batterystats' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'appops' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'power' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'device_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input_method' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'clipboard' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'account' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'entropy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'vibrator' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'cpuinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'procstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'mount' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'telephony.registry' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'devicestoragemonitor' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'content' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'gfxinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'package' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'statusbar' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'meminfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'dbinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'permission' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'activity' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'servicediscovery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'wifip2p' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'usagestats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'textservices' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'scheduling_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'battery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'alarm' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'lock_settings' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'accessibility' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'window' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'bluetooth_manager' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_score' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netpolicy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_management' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'search' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'country_detector' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifiscanner' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifi' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'ethernet' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'location' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'rttmanager' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'connectivity' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'updatelock' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'notification' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dreams' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wallpaper' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dropbox' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'DockObserver' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_session' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'audio' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'usb' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'assetatlas' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'uimode' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'jobscheduler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'samplingprofiler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'voiceinteraction' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'appwidget' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'commontime_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'backup' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'serial' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'diskstats' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_router' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'display_device_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_projection' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'fingerprint' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'trust' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'restrictions' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'print' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'imms' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'launcherapps' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'telecom' died
01-02 02:17:00.702 E/DEBUG   (  189): Failed to find a valid tombstone, default to using tombstone 0.
01-02 02:17:00.702 E/DEBUG   (  189): failed to open tombstone file '/data/tombstones/tombstone_00': No such file or directory
01-02 02:17:00.702 I/DEBUG   (  189): Skipping tombstone write, nothing to do.
01-02 02:17:00.726 I/BootAnimation( 3601): boot_animation_process start, built at '18:49:46', on 'Sep 21 2017'.

再如:
01-02 02:25:23.372 I/SystemServiceManager(  495): Starting com.android.server.pppoe.PppoeService
01-02 02:25:23.373 I/PppoeServiceImpl(  495): Creating PppoeServiceImpl
01-02 02:25:23.375 I/PppoeService(  495): Registering service pppoe
01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 W/SystemServer(  495): ***********************************************
01-02 02:25:23.377 F/SystemServer(  495): BOOT FAILURE start PppoeService error 
01-02 02:25:23.377 F/SystemServer(  495): java.lang.RuntimeException: Failed to start service com.android.server.pppoe.PppoeService: onStart threw an exception
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:111)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:65)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.startOtherServices(SystemServer.java:709)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.run(SystemServer.java:261)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:25:23.377 F/SystemServer(  495): Caused by: java.lang.SecurityException
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transactNative(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.pppoe.PppoeService.onStart(PppoeService.java:40)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:109)
01-02 02:25:23.377 F/SystemServer(  495):   ... 8 more
01-02 02:25:23.377 I/SystemServer(  495): Connectivity Service
01-02 02:25:23.380 D/ConnectivityService(  495): ConnectivityService starting up
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161

关键看LOG:

01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED

01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
  • 1
  • 2
  • 3
  • 4
  • 5

————解决————–

$ git diff device/rockchip/common/sepolicy/service_contexts
diff --git a/device/rockchip/common/sepolicy/service_contexts b/device/rockchip/common/sepolicy/service_contexts
old mode 100644
new mode 100755
index 216f6b8..5cc9fd3
--- a/device/rockchip/common/sepolicy/service_contexts
+++ b/device/rockchip/common/sepolicy/service_contexts
@@ -2,3 +2,5 @@
 fmradioservice                u:object_r:radio_service:s0
 oemtelephony                  u:object_r:radio_service:s0
 msm.registry                  u:object_r:system_app_service:s0
+systemctrl                    u:object_r:system_server_service:s0
+pppoe                                            u:object_r:system_server_service:s0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

PS:

SELinux的相关的源码有两处: 
|–device/rockchip/common/sepolicy/ 
|–external/sepolicy/ 
编译及生效:

mmm external/sepolicy/ && ./mkimage.sh
  • 1

再通过工具烧录 boot.img 和 recovery.img(可选)

问题二:

文件访问权限无权限, 如读取文件夹, 查看文件信息, 无法创建文件, 无法写入等等. 
自定义private 分区, 目录为/private 
通常, 错误的LOG为:

 #type=1400 audit(0.0:64): avc: denied { search } for name="/" dev="sda1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
表明: system_server 无法访问 vfat 的 dir, 操作 search.
修改方法为, 在TE中加入:
+allow system_server vfat:dir {search};

 #type=1400 audit(0.0:8): avc: denied { execute } for path="/data/data/com.xxx/cache/slice-slice_9-classes.dex" dev="mmcblk0p14" ino=115000 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
+allow system_app system_app_data_file:file{ execute };
其它的问题修改类似.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

为system_app赋与读写权限:

diff --git a/device/rockchip/common/sepolicy/file.te b/device/rockchip/common/sepolicy/file.te
old mode 100644
new mode 100755
index 371e1dc..1cd6326
--- a/device/rockchip/common/sepolicy/file.te
+++ b/device/rockchip/common/sepolicy/file.te
@@ -26,10 +26,11 @@ type rpc_send_socket, file_type;
 type rpc_reg_socket, file_type;

 type metadata_file, file_type;
+type private_file, file_type;

diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
old mode 100644
new mode 100755
index fc55766..118ed6b
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -11,6 +11,9 @@
 # Bluetooth
 /dev/ttyBT(.*)                  u:object_r:tty_device:s0

 # logcat
 /system/bin/logcat              u:object_r:logcat_exec:s0

@@ -127,6 +130,7 @@
 /system/bin/akmd     u:object_r:akmd_exec:s0

 /metadata(/.*)?      u:object_r:metadata_file:s0
+/private(/.*)?      u:object_r:private_file:s0

+++ b/device/rockchip/common/sepolicy/system_app.te
@@ -18,6 +18,39 @@ allow system_app cache_file:file create_file_perms;
 allow system_app thermal_file:file rw_file_perms;
 allow system_app pekallfmrserver:binder { call transfer };
 allow system_app default_prop:property_service { set };
+#private
+allow system_app private_file:dir rw_dir_perms;
+allow system_app private_file:file execute;
+allow system_app private_file:file rw_file_perms;
+allow system_app private_file:dir { append create open write getattr setattr rename execute};
+allow system_app private_file:file { append unlink create open write getattr setattr rename execute};
+allow system_app toolbox_exec:file { read open getattr execute execute_no_trans};
+allow system_app su_exec:file { read open getattr execute execute_no_trans};
+
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45

如USB, 串口访问: 
为ttyACM 定义 
|–device/rockchip/common/sepolicy/file_contexts

# ACM
/dev/ttyACM[0-9]*               u:object_r:tty_device:s0
  • 1
  • 2

|–device/rockchip/common/sepolicy/system_app.te

+allow system_app usb_device:dir rw_dir_perms;
+allow system_app tty_device:dir rw_dir_perms;
+allow system_app usb_device:chr_file {lock open read write ioctl};
+allow system_app tty_device:chr_file {lock open read write ioctl};
  • 1
  • 2
  • 3
  • 4

问题3:

当加入某些权限与原本定义产生冲突时编译失败:

mmm external/sepolicy/

libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 1 neverallow failures occurred
libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
Error while expanding policy
make: *** [out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy] 错误 1
make: *** 正在等待未完成的任务....
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

关键看这一句:

neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) 
  • 1

直接去看下policy.conf文件里面写着什么: 
|–out/target/product/rk3288/obj/ETC/sepolicy_intermediates/policy.conf

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
  • 1
  • 2
  • 3

原因是我尝试在system_app.te中加入 system app对设备节点文件的读写操作:

allow system_app sysfs:file { read write getattr open };
//这里的定义会与|--external/sepolicy/app.te中的定义冲突:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
  • 1
  • 2
  • 3
  • 4
  • 5

解决: 
|–external/sepolicy/app.te

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
//改为:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app}
    sysfs:dir_file_class_set write;
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

有用的几个命令:

1.getenforce setenforce 
查看和设置模式 
2. ls -Z 文件 
查看文件的selinux权限 
3. ps -Z 

查看进程selinux 权限


I.SELinux文件类型确定

查看文件的安全上下文并做修改

1、到相关目录中去查看

root@Z00T:/cd system/bin/
root@Z00T:/ls -Z | grep demo
  • 1
  • 2
  • 3

PS:demo替换成所需查看的文件名 
一般情况下,由于没有设置demo的selinux权限,一般会默认它为文件系统中的文件 
demo u:object_r:system_file:s0

2、添加定义文件类型的策略文件 
1)添加所需的策略文件demo.te(这里demo以可执行程序为例) 
在device/qcom/sepolicy/common中,新建demo.te文件

type demo, domain;
type demo_exec, exec_type, file_type;
init_daemon_domain(demo)
  • 1
  • 2
  • 3
  • 4

定义了demo是domain(领域),demo_exec为可执行程序

2)对文件匹配进行设定 
在device/qcom/sepolicy/common/file_contexts中,加入匹配字段

/system/bin/demo u:object_r:demo_exec:s0
  • 1
  • 2

PS:上文中的demo均可替换成所需文件名

此时再进行第1步看是否生效,注意demo文件不能使用push进去的文件,以免file_context不识别。这时的kernel所报的log才是需要加权限的log

编译是否生效:查看out/target/product/<>/root/file_contexts文件及 out/target/product/<>/obj/ETC/file_contexts_intermediates/file_contexts文件

PS:如demo仅仅是资源文件,可以直接在file_context做匹配字段,在device/qcom/sepolicy/common/file.te上可以看到所有的文件类型 
demo u:object_r:system_file:s0 system_file换成所需文件类型即可

II.SELinux加入权限

根据内核log所报的错误权限信息,加入权限即可。

比如内核报这样的错:

# cat /dev/kmsg
[  172.554381] type=1400 audit(22611.739:4): avc:  denied  { getattr } for  pid=257 comm="demo" path="/system/rfs"             dev="mmcblk0p42" ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
[  173.287498] type=1400 audit(22612.479:5): avc:  denied  { relabelfrom } for  pid=257 comm="demo" name="rfs" dev="mmcblk0p42" ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
  • 1
  • 2
  • 3
  • 4

一般可以在comm下面看到domain的信息,知道我们所需要修改的te文件

在相应的te、文件中增加语句,语句格式为

allow sourcecontext targetcontext:class 许可 ;

例如

[ 172.554381] type=1400 audit(22611.739:4): avc: denied { getattr } for pid=257 comm=”update_binary” path=”/system/rfs” dev=”mmcblk0p42” ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0 

sourcecontext指的是“scontext=u:r:recovery:s0”的recovery,targetcontext 指的是“tcontext=u:object_r:rfs_system_file:s0 ” 中的rfs_system_file, class指的是“tclass=dir”中的dir,许可指的是“{}”中的getattr, 
所以增加语句

allow recovery rfs_system_file:dir getattr;

III.解决编译报错问题

访问block device超过权限问题

对block device访问时,会因为neverallow,导致编译不过,此时不可以去修改/external/sepolicy/domain.te文件,这样会使cts跑不过,因而给domain特定的block device访问权限。

可以在device/qcom/sepolicy/msm89xx/file_context定义相关block device,如果仍发现编译报错,报错原因是相关的block device没有定义,可以到/external/sepolicy/device.te做定义。然后再根据第II步所示,继续修改。

访问default property超过权限

有时会碰到访问default property的访问权限被neverallow,导致编译不过,同理不可修改domain.te,可以在device/qcom/sepolicy/common/property.te中 定义一类property

type demo_prop, property_type;
  • 1
  • 2

在device/qcom/sepolicy/common/property_context上匹配所需要访问的property

adb.on                     u:object_r:demo_prop:s0
  • 1
  • 2

然后再根据第II步所示,继续修改。

操作访问

当需要手动进行一定的操作的时候,可以 cat /dev/kmsg,看需要什么样的权限,然后找到特定的te文件,进行操作

如在mout某分区时

avc: denied { associate } for pid=4256 comm="mount" scontext=u:-Object_r:fac_file:S0 (file:S0) (file:S0 (file:S0)) tcontext=u:-Object_r:fac_file:S0 (file:S0) (file:S0 (file:S0)) tclass=filesystem permissive=0
  • 1
  • 2

说明mount没有相关的权限,可以在init.te中加入相关的权限。


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值