我正在尝试使用新的守护程序构建AOSP 9,但是SELinux不允许我这样做。
我的sierra_config_ip.te文件的开头是这样:
type sierra_config_ip, domain;
permissive sierra_config_ip;
type sierra_config_ip_exec, exec_type, file_type;
init_daemon_domain(sierra_config_ip)
我的file_contexts是:
/(vendor|system/vendor)/bin/init.config.ip u:object_r:sierra_config_ip_exec:s0
我的init.rc是:
service sierra_config_ip /vendor/bin/init.config.ip
class main
user root
group radio cache inet misc dhcp
capabilities BLOCK_SUSPEND NET_ADMIN NET_RAW
disabled
oneshot
但是我总是收到以下错误:
[ 0% 3/56037] build out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd sierra_dhcpcd_exec:file { execute entrypoint };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip sierra_config_ip_exec:file { execute entrypoint };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip toolbox_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip dhcp_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip shell_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd toolbox_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_config_ip net_data_file:dir { search };
libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_dhcpcd net_data_file:dir { search };
libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip net_data_file:file { open };
libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip dhcp_data_file:file { create setattr lock map unlink rename open };
libsepol.check_assertions: 10 neverallow failures occurred
Error while expanding policy
我不知道为什么不起作用,我按照此处其他主题(如this one)中所述的步骤进行操作。有人可以帮我吗?
除此之外,我尝试禁用SELinux以最终能够构建Android。为此,我把它放在
enforcing=0 androidboot.selinux=disabled
在BoardConfig.mk的BOARD_KERNEL_CMDLINE中,但是策略是以前构建的,并且错误再次发生!
我还尝试将-sierra_config_ip放入domain.te:
full_treble_only(`
# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
neverallow {
domain
-coredomain
-appdomain
-vendor_executes_system_violators
-vendor_init
-evs_domain
-sierra_config_ip
} {
exec_type
-vendor_file_type
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
')
但是出现以下错误:
system/sepolicy/public/domain.te:1005:ERROR 'unknown type sierra_config_ip' at token ';' on line 11251:
#line 1005
}:file { entrypoint execute execute_no_trans };
在此先感谢您的帮助! :)
3345
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
