audit2allow的安装
sudo apt install policycoreutils
或者
将Android 源码目录下external/selinux/python/audit2allow/audit2allow copy到/usr/bin/
audit2allow的用法
1.抓log并保存至文件:
adb logcat -b all > error_log.txt
2.分析SeLinux问题的log:
audit2allow -i error_log.txt
有些系统在执行audit2allow时会出现错误“unable to open (null): Bad address”
有两个方法可以规避这个问题:
2.1 sudo vim /usr/bin/audit2allow
注释掉如下4行代码,这个错误是因为执行audit2why.init()导致的,具体原因不详。
def main(self):
try:
self.__parse_options()
# if self.__options.policy:
# audit2why.init(self.__options.policy)
# else:
# audit2why.init()
2.2 加-p参数 从audit2allow的help信息看 , -p需要指定一个policy文件
Usage: audit2allow [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-b, --boot audit messages since last boot conflicts with -i
-a, --all read input from audit log - conflicts with -i
-p POLICY, --policy=POLICY
Policy file to use for analysis
-d, --dmesg read input from dmesg - conflicts with --all and
--input
-i INPUT, --input=INPUT
read input from <input> - conflicts with -a
-l, --lastreload read input only after the last reload
-r, --requires generate require statements for rules
-m MODULE, --module=MODULE
set the module name - implies --requires
-M MODULE_PACKAGE, --module-package=MODULE_PACKAGE
generate a module package - conflicts with -o and -m
-o OUTPUT, --output=OUTPUT
append output to <filename>, conflicts with -M
-D, --dontaudit generate policy with dontaudit rules
-R, --reference generate refpolicy style output
-N, --noreference do not generate refpolicy style output
-v, --verbose explain generated output
-e, --explain fully explain generated output
-t TYPE, --type=TYPE only process messages with a type that matches this
regex
--perm-map=PERM_MAP file name of perm map
--interface-info=INTERFACE_INFO
file name of interface information
--debug leave generated modules for -M
-w, --why Translates SELinux audit messages into a description
of why the access was denied
Android代码一般会在out中生成,可以在out目录下find一下,例如:
R4250-dev$ find out/target/product/ -name sepolicy
out/target/product/<project_name>/recovery/root/sepolicy
综合来看,如果不常用audit2why这个功能的话,方案2.1比较方便些,一劳永逸。