android selinux

1.涉及文件

android/device/qcom/sepolicy/common/*.te
android/external/sepolicy/*.te

---

---

2.检查是否为selinux权限问题

seteforce 0 // 关闭selinux

在 seteforce 0 的情况下抓取logcat 过滤关键字 avc
logcat |grep avc

W/vold    (  338): type=1400 audit(0.0:34): avc: denied { create } for name="smdl76259125.tmp.asec" scontext=u:r:vold:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file
W/vold    (  338): type=1400 audit(0.0:35): avc: denied { open } for name="smdl76259125.tmp.asec" dev="tmpfs" ino=24405 scontext=u:r:vold:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file
W/vold    (  338): type=1400 audit(0.0:36): avc: denied { getattr } for path="/mnt/secure/asec/smdl76259125.tmp.asec" dev="tmpfs" ino=24405 scontext=u:r:vold:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file
W/vold    (  338): type=1400 audit(0.0:37): avc: denied { rename } for name="smdl76259125.tmp.asec" dev="tmpfs" ino=24405 scontext=u:r:vold:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file
W/m.android.phone( 1148): type=1400 audit(0.0:38): avc: denied { getattr } for path="/mnt/asec/com.baidu.appsearch-2/base.apk" dev="dm-0" ino=12 scontext=u:r:radio:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
W/m.android.phone( 1148): type=1400 audit(0.0:39): avc: denied { read } for name="base.apk" dev="dm-0" ino=12 scontext=u:r:radio:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
W/m.android.phone( 1148): type=1400 audit(0.0:40): avc: denied { open } for name="base.apk" dev="dm-0" ino=12 scontext=u:r:radio:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
W/installd(  257): type=1400 audit(0.0:41): avc: denied { getattr } for path="/mnt/secure/asec/com.baidu.appsearch-2.asec" dev="tmpfs" ino=24405 scontext=u:r:installd:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file

---

---

3.工具转换

audit2allow -i avc.txt -o avc.te

#============= installd ==============
4 allow installd vold_tmpfs:file getattr;
5
6 #============= radio ==============
7 allow radio asec_apk_file:file { read getattr open };
8
9 #============= vold ==============
10 allow vold vold_tmpfs:file { rename create open getattr };

---

---

4.权限解析

W/vold ( 338): type=1400 audit(0.0:34): avc: denied { create } for name=”smdl76259125.tmp.asec” scontext=u:r:vold:s0 tcontext=u:object_r:vold_tmpfs:s0 tclass=file

denied 表示权限 u表示进程 object_r 表示文件

5.常见问题

5.1 file_context需整编system

5.2
testAospSeappContexts/testAospFil
eContexts/testAospPropertyContexts/testAosp
ServiceContexts fail的解决方案
[DESCRIPTION]
android.cts.security.SELinuxHostTest 中有一类cases，比如
testAospSeappContexts/testAospFileContexts/testAospPropertyContexts/testAospServiceCont
exts
会去验证原生的/external/sepolicy/XXX_contexts有没有被修改过,若内容有修改,一定会fail,报
错类似于下面这样