Selinux type 编写示例

以下是从aosp 中，分析如何定义的type 和allow 规则
1.定义type （domain）
hal_light 这个type的定义

type hal_light_default, domain;
hal_server_domain(hal_light_default, hal_light)

aosp/system/sepolicy/vendor/qcom/common/hal_light_default.te

define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')

2.定义 Object type 

aosp/device/google/crosshatch-sepolicy/vendor/qcom/common/file.te
type sysfs_graphics, sysfs_type, fs_type;
type sysfs_lights, sysfs_type, fs_type;
                   （attribute   )

                   
3.Labeing Object

aosp/system/sepolicy/vendor

genfscon sysfs /devices/platform/soc/894000.i2c/i2c-3/3-0043/leds                u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/894000.i2c/i2c-3/3-005a/leds                u:object_r:sysfs_leds:s0
genfs_contexts:51:genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@51/backlight/panel0-backlight/vr_mode   u:object_r:sysfs_lights:s0

4.Labeing Subject

aosp/system/sepolicy/vendor

file_contexts:/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
file_contexts:/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy     u:object_r:hal_light_default_exec:s0
hal_light_default.te:type hal_light_default, domain;
hal_light_default.te:hal_server_domain(hal_light_default, hal_light)
hal_light_default.te:type hal_light_default_exec, exec_type, vendor_file_type, file_type;
hal_light_default.te:init_daemon_domain(hal_light_default)

5.allow 语句
device/google/crosshatch-sepolicy/vendor/qcom/common/hal_light.te

allow 语句：
 

allow hal_light sysfs_graphics:dir search;
allow hal_light sysfs_graphics:file rw_file_perms;
allow hal_light sysfs_lights:dir search;
allow hal_light sysfs_lights:file rw_file_perms;