AI 助理
备案控制台
开发者社区 人工智能 文章 正文

Android SELinux Enforcing 模式下问题及解决

2023-02-10 717
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: Android SELinux Enforcing 模式下问题及解决

平台:

RK3288 + android 5.11

修改selinux模式为enforcing (默认为 permissive)

主要修改parameter:

FIRMWARE_VER:5.1.1
MACHINE_MODEL:rk3288
...
#private 6GB, System 512MB, Data 3GB, origin 512MB
CMDLINE:console=ttyFIQ0 androidboot.selinux=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00040000@0x00050000(cache),0x00002000@0x00090000(kpanic),0x00400000@0x00092000(system),0x00008000@0x00492000(metadata),0x00C00000@0x0049A000(private),0x0012C000@0x0109A000(origin),0x00600000@0x011C6000(userdata),0x00020000@0x017C6000(radical_update),-@0x017E6000(user)


重点在:androidboot.selinux=enforcing

在系统启动后, 可以通过getenforce 查看是否设置成功

#adb shell getenforce
Enforcing


问题1:

自定义服务无法正常启动, 导致android 不停重启, LOG 如下:

01-02 02:17:00.313 I/ActivityManagerService( 3003): Start proc 3581:com.android.settings/1000 for broadcast com.android.settings/.HdmiReceiver
01-02 02:17:00.322 D/SystemControlerService( 3003): ALog onServiceConnected
01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:17:00.323 D/SystemControlerService( 3538): ALog android.net.wifi.WIFI_STATE_CHANGED
01-02 02:17:00.323 D/AndroidRuntime( 3003): Shutting down VM
01-02 02:17:00.323 E/AndroidRuntime( 3003): *** FATAL EXCEPTION IN SYSTEM PROCESS: main
01-02 02:17:00.323 E/AndroidRuntime( 3003): java.lang.SecurityException
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transactNative(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService.access$000(SystemControlerService.java:51)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.os.SystemControlerService$1.onServiceConnected(SystemControlerService.java:80)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1208)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1225)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.handleCallback(Handler.java:739)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Handler.dispatchMessage(Handler.java:95)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at android.os.Looper.loop(Looper.java:135)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.run(SystemServer.java:274)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:17:00.323 E/AndroidRuntime( 3003):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:17:00.328 E/ActivityManagerService( 3003): warning: could NOT find SYSTEMCTRL_SERVICE service
01-02 02:17:00.521 W/art     ( 3003): Long monitor contention event with owner method=boolean com.android.server.am.ActivityManagerService.unbindService(android.app.IServiceConnection) from ActivityManagerService.java:15763 waiters=0 for 192ms
01-02 02:17:00.522 E/AndroidRuntime( 3003): Error reporting crash
01-02 02:17:00.522 E/AndroidRuntime( 3003): java.lang.NullPointerException: Attempt to read from field 'android.content.pm.ApplicationInfo com.android.server.am.ProcessRecord.info' on a null object reference
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11969)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.server.am.ActivityManagerService.handleApplicationCrash(ActivityManagerService.java:11945)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at com.android.internal.os.RuntimeInit$UncaughtHandler.uncaughtException(RuntimeInit.java:89)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:693)
01-02 02:17:00.522 E/AndroidRuntime( 3003):     at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:690)
01-02 02:17:00.522 I/Process ( 3003): Sending signal. PID: 3003 SIG: 9
01-02 02:17:00.587 I/ServiceManager(  171): service 'display' died
01-02 02:17:00.588 W/AudioFlinger( 2778): power manager service died !!!
01-02 02:17:00.590 E/WifiManager( 3108): Channel connection lost
01-02 02:17:00.591 D/SurfaceFlinger(  174): Set power mode=2, type=0 flinger=0xb7b91550
01-02 02:17:00.591 D/SurfaceFlinger(  174): Screen type=0 is already mode=2
01-02 02:17:00.599 I/ServiceManager(  171): service 'hardware' died
01-02 02:17:00.600 E/BufferQueueProducer(  174): [StatusBar] queueBuffer: BufferQueue has been abandoned
01-02 02:17:00.600 E/Surface ( 3108): queueBuffer: error queuing buffer to SurfaceTexture, -19
01-02 02:17:00.600 F/OpenGLRenderer( 3108): Encountered EGL error 12299 EGL_BAD_NATIVE_WINDOW during rendering
01-02 02:17:00.601 F/libc    ( 3108): Fatal signal 6 (SIGABRT), code -6 in tid 3526 (RenderThread)
01-02 02:17:00.603 I/ServiceManager(  171): service 'webviewupdate' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'consumer_ir' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'user' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'sensorservice' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'batterystats' died
01-02 02:17:00.604 I/ServiceManager(  171): service 'appops' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'power' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'device_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'input_method' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'clipboard' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'account' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'entropy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'vibrator' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'cpuinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'procstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'mount' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'telephony.registry' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'devicestoragemonitor' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'content' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'gfxinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'package' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'statusbar' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'meminfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'dbinfo' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'permission' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'activity' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'servicediscovery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netstats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'wifip2p' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'usagestats' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'textservices' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'scheduling_policy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'battery' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'alarm' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'lock_settings' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'accessibility' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'window' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'bluetooth_manager' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_score' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'netpolicy' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'network_management' died
01-02 02:17:00.605 I/ServiceManager(  171): service 'search' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'country_detector' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifiscanner' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wifi' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'ethernet' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'location' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'rttmanager' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'connectivity' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'updatelock' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'notification' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dreams' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'wallpaper' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'dropbox' died
01-02 02:17:00.606 I/ServiceManager(  171): service 'DockObserver' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_session' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'audio' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'usb' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'assetatlas' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'uimode' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'jobscheduler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'samplingprofiler' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'voiceinteraction' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'appwidget' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'commontime_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'backup' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'serial' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'diskstats' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_router' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'display_device_management' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'media_projection' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'fingerprint' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'trust' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'restrictions' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'print' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'imms' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'launcherapps' died
01-02 02:17:00.608 I/ServiceManager(  171): service 'telecom' died
01-02 02:17:00.702 E/DEBUG   (  189): Failed to find a valid tombstone, default to using tombstone 0.
01-02 02:17:00.702 E/DEBUG   (  189): failed to open tombstone file '/data/tombstones/tombstone_00': No such file or directory
01-02 02:17:00.702 I/DEBUG   (  189): Skipping tombstone write, nothing to do.
01-02 02:17:00.726 I/BootAnimation( 3601): boot_animation_process start, built at '18:49:46', on 'Sep 21 2017'.
再如:
01-02 02:25:23.372 I/SystemServiceManager(  495): Starting com.android.server.pppoe.PppoeService
01-02 02:25:23.373 I/PppoeServiceImpl(  495): Creating PppoeServiceImpl
01-02 02:25:23.375 I/PppoeService(  495): Registering service pppoe
01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 W/SystemServer(  495): ***********************************************
01-02 02:25:23.377 F/SystemServer(  495): BOOT FAILURE start PppoeService error 
01-02 02:25:23.377 F/SystemServer(  495): java.lang.RuntimeException: Failed to start service com.android.server.pppoe.PppoeService: onStart threw an exception
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:111)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:65)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.startOtherServices(SystemServer.java:709)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.run(SystemServer.java:261)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:25:23.377 F/SystemServer(  495): Caused by: java.lang.SecurityException
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transactNative(Native Method)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:25:23.377 F/SystemServer(  495):   at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.pppoe.PppoeService.onStart(PppoeService.java:40)
01-02 02:25:23.377 F/SystemServer(  495):   at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:109)
01-02 02:25:23.377 F/SystemServer(  495):   ... 8 more
01-02 02:25:23.377 I/SystemServer(  495): Connectivity Service
01-02 02:25:23.380 D/ConnectivityService(  495): ConnectivityService starting up


关键看LOG:

01-02 02:17:00.322 E/SELinux (  171): avc:  denied  { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager(  171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 E/SELinux (  171): avc:  denied  { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager(  171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED


————解决————–

$ git diff device/rockchip/common/sepolicy/service_contexts
diff --git a/device/rockchip/common/sepolicy/service_contexts b/device/rockchip/common/sepolicy/service_contexts
old mode 100644
new mode 100755
index 216f6b8..5cc9fd3
--- a/device/rockchip/common/sepolicy/service_contexts
+++ b/device/rockchip/common/sepolicy/service_contexts
@@ -2,3 +2,5 @@
 fmradioservice                u:object_r:radio_service:s0
 oemtelephony                  u:object_r:radio_service:s0
 msm.registry                  u:object_r:system_app_service:s0
+systemctrl                    u:object_r:system_server_service:s0
+pppoe                                            u:object_r:system_server_service:s0


PS:

SELinux的相关的源码有两处:

|–device/rockchip/common/sepolicy/

|–external/sepolicy/

编译及生效:

mmm external/sepolicy/ && ./mkimage.sh


再通过工具烧录 boot.img 和 recovery.img(可选)

问题二:

文件访问权限无权限, 如读取文件夹, 查看文件信息, 无法创建文件, 无法写入等等.

自定义private 分区, 目录为/private

通常, 错误的LOG为:

#type=1400 audit(0.0:64): avc: denied { search } for name="/" dev="sda1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0

表明: system_server 无法访问 vfat 的 dir, 操作 search.

修改方法为, 在TE中加入:

+allow system_server vfat:dir {search};

#type=1400 audit(0.0:8): avc: denied { execute } for path="/data/data/com.xxx/cache/slice-slice_9-classes.dex" dev="mmcblk0p14" ino=115000 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
+allow system_app system_app_data_file:file{ execute };

其它的问题修改类似.


为system_app赋与读写权限:

diff --git a/device/rockchip/common/sepolicy/file.te b/device/rockchip/common/sepolicy/file.te
old mode 100644
new mode 100755
index 371e1dc..1cd6326
--- a/device/rockchip/common/sepolicy/file.te
+++ b/device/rockchip/common/sepolicy/file.te
@@ -26,10 +26,11 @@ type rpc_send_socket, file_type;
 type rpc_reg_socket, file_type;
 type metadata_file, file_type;
+type private_file, file_type;
diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
old mode 100644
new mode 100755
index fc55766..118ed6b
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -11,6 +11,9 @@
 # Bluetooth
 /dev/ttyBT(.*)                  u:object_r:tty_device:s0
 # logcat
 /system/bin/logcat              u:object_r:logcat_exec:s0
@@ -127,6 +130,7 @@
 /system/bin/akmd     u:object_r:akmd_exec:s0
 /metadata(/.*)?      u:object_r:metadata_file:s0
+/private(/.*)?      u:object_r:private_file:s0
+++ b/device/rockchip/common/sepolicy/system_app.te
@@ -18,6 +18,39 @@ allow system_app cache_file:file create_file_perms;
 allow system_app thermal_file:file rw_file_perms;
 allow system_app pekallfmrserver:binder { call transfer };
 allow system_app default_prop:property_service { set };
+#private
+allow system_app private_file:dir rw_dir_perms;
+allow system_app private_file:file execute;
+allow system_app private_file:file rw_file_perms;
+allow system_app private_file:dir { append create open write getattr setattr rename execute};
+allow system_app private_file:file { append unlink create open write getattr setattr rename execute};
+allow system_app toolbox_exec:file { read open getattr execute execute_no_trans};
+allow system_app su_exec:file { read open getattr execute execute_no_trans};
+


如USB, 串口访问:

为ttyACM 定义

|–device/rockchip/common/sepolicy/file_contexts

# ACM
/dev/ttyACM[0-9]*               u:object_r:tty_device:s0


|–device/rockchip/common/sepolicy/system_app.te

+allow system_app usb_device:dir rw_dir_perms;
+allow system_app tty_device:dir rw_dir_perms;
+allow system_app usb_device:chr_file {lock open read write ioctl};
+allow system_app tty_device:chr_file {lock open read write ioctl};


问题3:

当加入某些权限与原本定义产生冲突时编译失败:

mmm external/sepolicy/

libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 1 neverallow failures occurred
libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
Error while expanding policy
make: *** [out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy] 错误 1
make: *** 正在等待未完成的任务....
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy


关键看这一句:

neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf)


直接去看下policy.conf文件里面写着什么:

|–out/target/product/rk3288/obj/ETC/sepolicy_intermediates/policy.conf

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;


原因是我尝试在system_app.te中加入 system app对设备节点文件的读写操作:

allow system_app sysfs:file { read write getattr open };
//这里的定义会与|--external/sepolicy/app.te中的定义冲突:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;


解决:

|–external/sepolicy/app.te

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
//改为:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app}
    sysfs:dir_file_class_set write;


有用的几个命令:

1.getenforce setenforce

查看和设置模式

2. ls -Z 文件

查看文件的selinux权限

3. ps -Z

查看进程selinux 权限

相关资料:

http://blog.csdn.net/innost/article/details/19299937/ (受益颇多)

https://stackoverflow.com/questions/30165852/selinux-permission-denied-for-a-new-framework-service-in-android (虽然没用上)

https://www.2cto.com/kf/201504/390742.html (了解)

文章标签:
Android开发
编解码
关键词:
Android模式
Android selinux enforcing
ansondroider
目录
相关文章
一歲抬頭
|
8月前
|
Android开发
Android 11 添加Service服务SELinux问题
Android 11 添加Service服务SELinux问题
一歲抬頭
408 1
一歲抬頭
|
8月前
|
Android开发
Android Mediatek 增加Recovery模式下读cmdline的强制工厂重置选项
Android Mediatek 增加Recovery模式下读cmdline的强制工厂重置选项
一歲抬頭
68 0
众所周知
|
8月前
|
XML 前端开发 测试技术
Android基础知识:解释Android的MVC和MVP模式。
Android基础知识:解释Android的MVC和MVP模式。
众所周知
75 0
Ant.Dream
|
5月前
|
设计模式 Android开发 Kotlin
Android经典实战之Kotlin委托模式和by关键字
本文介绍了Kotlin中`by`关键字在类及属性委托中的运用,通过实例展示了如何利用类委托简化接口实现,以及如何借助标准与自定义属性委托管理属性的读写操作。通过`by`关键字的支持,Kotlin使得委托模式的实现更为直观且高效。
Ant.Dream
103 4
一歲抬頭
|
8月前
|
Android开发
Android Service Call /dev/xxx SELinux
Android Service Call /dev/xxx SELinux
一歲抬頭
136 1
阿迷创客
|
5月前
|
编解码 安全 Ubuntu
Android Selinux 问题处理笔记
这篇文章是关于处理Android系统中SELinux权限问题的笔记,介绍了如何通过分析SELinux拒绝的日志、修改SELinux策略文件,并重新编译部署来解决权限问题,同时提供了一些SELinux的背景知识和实用工具。
阿迷创客
149 0
Ant.Dream
|
6月前
|
存储 前端开发 测试技术
Android Kotlin中使用 LiveData、ViewModel快速实现MVVM模式
使用Kotlin实现MVVM模式是Android开发的现代实践。该模式分离UI和业务逻辑,借助LiveData、ViewModel和DataBinding增强代码可维护性。步骤包括创建Model层处理数据,ViewModel层作为数据桥梁,以及View层展示UI。添加相关依赖后,Model类存储数据,ViewModel类通过LiveData管理变化,而View层使用DataBinding实时更新UI。这种架构提升代码可测试性和模块化。
Ant.Dream
209 2
源码宝
|
8月前
|
传感器 小程序 Java
Java+saas模式 智慧校园系统源码Java Android +MySQL+ IDEA 多校运营数字化校园云平台源码
Java+saas模式 智慧校园系统源码Java Android +MySQL+ IDEA 多校运营数字化校园云平台源码 智慧校园即智慧化的校园,也指按智慧化标准进行的校园建设,按标准《智慧校园总体框架》中对智慧校园的标准定义是:物理空间和信息空间的有机衔接,使任何人、任何时间、任何地点都能便捷的获取资源和服务。
源码宝
83 1
xiaowang_lj
|
8月前
|
Shell Android开发
android Selinux 之 platform
android Selinux 之 platform
xiaowang_lj
61 0
xiaowang_lj
|
8月前
|
编解码 缓存 安全
Android SELinux 参数语法介绍及基础分析
Android SELinux 参数语法介绍及基础分析
xiaowang_lj
216 0