本文转载自:https://blog.csdn.net/yin1031468524/article/details/75644874
在系统中添加某个“*.te”后,可能会出现下面的错误:
libsepol.report_failure: neverallow on line 263 of system/sepolicy/domain.te (or line 9133 of policy.conf) violated by allow xx device:chr_file { read write open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
这是因为在“system/sepolicy/domain.te” 添加了一些neverallow rules,导致编译检查的时候出现错误
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
只需要根据错误的提示,在system/sepolicy/domain.te找到对应的neverallow规则修改即可,我编译出现error的是allow xx device:chr_fi