1.添加完权限如何编译验证?
android 8.0及以后,android根目录下执行 make selinux_policy,会输出到 
out/target/product/XXXX/system/etc/selinux 和 out/target/product/XXXX/vendor/etc/selinux
push上述两个目录的所有文件到system/etc/selinux和vendor/etc/selinux目录 重启手机即可。

//手动修改某个文件的conext

chcon -v u:object_r:netdiag_exec:s0  mydump

2.问题集锦

out/target/product/xxx/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )" The following types on /system/ must be associated with the "system_file_type" attribute: verifyusb_exec

解决: 

type verifyusb, domain;
  type verifyusb_exec, system_file_type, exec_type, file_type;
  init_daemon_domain(verifyusb)

libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11682 of policy.conf) violated by
allow nds nds:packet_socket { ioctl };

解决: 

allowxperm nds self:packet_socket  ioctl  {0x8994 0x8b07 0x8933 0x8927};

[ 4219.491901] .(2)[330:logd.auditd]type=1400 audit(1620457138.560:683): avc: denied { dac_override } for comm="sh" capability=1 scontext=u:r:nds:s0 tcontext=u:r:nds:s0 tclass=capability permissive=0
解决: chmod 700 /vendor/bin/nds

https://seandroid-list.tycho.nsa.narkive.com/UGqJAMld/about-dac-override-denial-on-logd

https://events.static.linuxfound.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf

neverallow check failed at out/target/product/antman_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4293
  (neverallow base_typeattr_50_27_0 system_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
    <root>
    allow at out/target/product/antman_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:12022
      (allow hal_wifi_supplicant_default system_data_file_27_0 (file (read write getattr open)))
解决: 一般是出问题的文件或者新的属性没有在 file_context  property_context 配置selinux type, 导致用了默认的system 类型, 故比较高.  配置成允许的type即可.

3. on property trigger没反映

https://blog.csdn.net/u014175785/article/details/92992931

4.开关selinux

https://www.codenong.com/cs106021337/

Logo

更多推荐