如何快速定位SElinux问题并修复?
1.获取android设备的kernellog最简单的就是通过dmesg命令来重定向输出到文件:dmesg > /sdcard/dmesg.txtadb pull拉取出log后会看到类似如下的selinux报错:<5>[6.045281] [1:155:kauditd] audit: type=1400 audit(2245.069:3): avc:den
·
1.获取android设备的kernellog
最简单的就是通过dmesg命令来重定向输出到文件:
dmesg > /sdcard/dmesg.txt
adb pull拉取出log后会看到类似如下的selinux报错:
<5>[ 6.045281] [1:155:kauditd] audit: type=1400 audit(2245.069:3): avc: denied { read } for pid=1 comm="init" name="mz_rpmb_ctl" dev="tmpfs" ino=28162 scontext=u:r:kernel:s0 tcontext=u:object_r:
tmpfs:s0 tclass=chr_file permissive=1
2.查找SElinux报错
cat dmesg.txt | grep "avc"
比如我的log输出如下:
<36>[ 185.262911] [0:603:logd.auditd] type=1400 audit(1542768382.806:1551): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:obje
ct_r:media_rw_data_file:s0 tclass=dir permissive=0
<36>[ 186.136447] [0:603:logd.auditd] type=1400 audit(1542768382.806:1554): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:obje
ct_r:media_rw_data_file:s0 tclass=dir permissive=0 duplicate messages suppressed
<36>[ 186.136630] [0:603:logd.auditd] type=1400 audit(1542768383.676:1555): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r
:dpmtcm_socket:s0 tclass=sock_file permissive=0
<36>[ 186.812992] [1:603:logd.auditd] type=1400 audit(1542768383.676:1555): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r
:dpmtcm_socket:s0 tclass=sock_file permissive=0
<36>[ 186.813073] [1:603:logd.auditd] type=1400 audit(1542768384.356:1556): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0
:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 186.816160] [2:603:logd.auditd] type=1400 audit(1542768384.356:1556): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0
:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 186.816236] [2:603:logd.auditd] type=1400 audit(1542768384.356:1557): avc: denied { read } for pid=1907 comm="Binder:1907_C" name="chipid" dev="proc" ino=4026531947 scontext=u:r:system_server:s0 tco
ntext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 190.147428] [0:603:logd.auditd] type=1400 audit(1542768386.966:1565): avc: denied { read } for pid=1907 comm="Thread-2" name="sync_temp" dev="sysfs" ino=80221 scontext=u:r:system_server:s0 tcontext=
u:object_r:sysfs:s0 tclass=file permissive=0
<36>[ 190.147615] [0:603:logd.auditd] type=1400 audit(1542768387.686:1566): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r
:dpmtcm_socket:s0 tclass=sock_file permissive=0
<36>[ 191.267217] [3:603:logd.auditd] type=1400 audit(1542768388.686:1567): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r
:dpmtcm_socket:s0 tclass=sock_file permissive=0
<36>[ 191.267405] [3:603:logd.auditd] type=1400 audit(1542768388.806:1568): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:obje
ct_r:media_rw_data_file:s0 tclass=dir permissive=0
<36>[ 192.162748] [3:603:logd.auditd] type=1400 audit(1542768388.806:1571): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:obje
ct_r:media_rw_data_file:s0 tclass=dir permissive=0 duplicate messages suppressed
<36>[ 192.162812] [3:603:logd.auditd] type=1400 audit(1542768389.706:1572): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r
:dpmtcm_socket:s0 tclass=sock_file permissive=0
<36>[ 193.623336] [3:603:logd.auditd] type=1400 audit(1542768390.706:1573): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r
:dpmtcm_socket:s0 tclass=sock_file permissive=0
<36>[ 193.623390] [3:603:logd.auditd] type=1400 audit(1542768391.166:1574): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0
:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 193.625833] [0:603:logd.auditd] type=1400 audit(1542768391.166:1574): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0
:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 193.625881] [0:603:logd.auditd] type=1400 audit(1542768391.166:1575): avc: denied { read } for pid=1907 comm="Binder:1907_A" name="chipid" dev="proc" ino=4026531947 scontext=u:r:system_server:s0 tco
ntext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 195.547366] [3:603:logd.auditd] type=1400 audit(1542768391.896:1580): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0
:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0
<36>[ 195.547426] [3:603:logd.auditd] type=1400 audit(1542768393.086:1583): avc: denied { read } for pid=7194 comm="pp.v3.apiWorker" name="u:object_r:serialno_prop:s0" dev="tmpfs" ino=22887 scontext=u:r:p
latform_app:s0:c512,c768 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0
<36>[ 197.276747] [1:603:logd.auditd] type=1400 audit(1542768393.086:1583): avc: denied { read } for pid=7194 comm="pp.v3.apiWorker" name="u:object_r:serialno_prop:s0" dev="tmpfs" ino=22887 scontext=u:r:p
latform_app:s0:c512,c768 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0
<36>[ 197.276807] [1:603:logd.auditd] type=1400 audit(1542768394.816:1584): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:obje
ct_r:media_rw_data_file:s0 tclass=dir permissive=0
<36>[ 198.325751] [1:603:logd.auditd] type=1400 audit(1542768394.816:1587): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:obje
ct_r:media_rw_data_file:s0 tclass=dir permissive=0 duplicate messages suppressed
<36>[ 198.325828] [1:603:logd.auditd] type=1400 audit(1542768395.866:1588): avc: denied { read } for pid=4664 comm="ontrollerWorker" name="u:object_r:serialno_prop:s0" dev="tmpfs" ino=22887 scontext=u:r:s
ystem_app:s0 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0
3.分析avc问题
可以通过audit2allow tool来分析selinux log:
cat dmesg.txt | grep avc | audit2allow
比如我的输出如下:
#============= platform_app ==============
allow platform_app app_data_file:file execute;
allow platform_app net_dns_prop:file read;
allow platform_app proc_mz_info:file read;
allow platform_app serialno_prop:file read;
allow platform_app sysfs_net:dir search;
#============= priv_app ==============
allow priv_app proc_uptime:file read;
allow priv_app serialno_prop:file read;
#============= private_file_app ==============
allow private_file_app app_data_file:dir search;
#============= qti_init_shell ==============
allow qti_init_shell default_prop:file read;
#============= radio ==============
allow radio dpmtcm_socket:sock_file write;
#============= rild ==============
allow rild diag_device:chr_file { read write };
allow rild vendor_pd_locater_dbg_prop:file read;
#============= system_app ==============
allow system_app default_prop:property_service set;
allow system_app platform_app:file read;
allow system_app radio_prop:property_service set;
allow system_app serialno_prop:file read;
allow system_app sysfs_net:dir search;
#============= system_server ==============
allow system_server custom_file:dir { getattr search };
allow system_server proc_mz_info:file read;
allow system_server sysfs:file { read write };
allow system_server tptype_prop:file read;
allow system_server wfd_debug_prop:file read;
如此可以非常便捷的找到avc错误,并已经给出了解决方案,只需要把该结果配置到对应的selinux policy config文件即可。
更多推荐
已为社区贡献6条内容
所有评论(0)