博客

【QCM6125】Android12 selinux权限修改及快速调试

  • Post author:
  • Post category:linux


【背景】:

在调试的过程中需要修改selinux权限,并快速验证修改是否有效或者修改后可以构建成功,以及常见问题处理

【快速调试验证】:

可以通过以下命令快速构建确认修改的selinux是否能够构建通过,以及验证: 

$make selinux_policy	//构建selinux规则

验证: 

adb push out\target\product\sc138\system\etc\selinux /system/etc/
adb push out\target\product\sc138\vendor\etc\selinux /vendor/etc/

有的规则push无效,需要整编版本验证。

【常见错误】:

错误1:“neverallow check failed at out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil:22906 from system/sepolicy/private/property.te:47” 

FAILED: out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil
out/soong/host/linux-x86/bin/checkpolicy -C -M -c 30 -o out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.conf/android_common/conf && cat system/sepolicy/private/technical_debt.cil >>  out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil && out/soong/host/linux-x86/bin/secilc -m -M true -G -c 30 out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil -o /dev/null -f /dev/null # hash of input list: d6ecc2c4e157ea76b3d37465aa507252a4901a59eb2d9f9a33d3c2a8d1c7f7be
neverallow check failed at out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil:22906 from system/sepolicy/private/property.te:47
  (neverallow base_typeattr_223 base_typeattr_751 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open watch watch_mount watch_sb watch_with_perm watch_reads)))
    <root>
    allow at out/soong/.intermediates/system/sepolicy/userdebug_plat_sepolicy.cil/android_common/userdebug_plat_sepolicy.cil:26253
      (allow vendor_init init_service_status_private_prop (file (read)))

Failed to generate binary

可以看到system/sepolicy/private/property.te文件47行的权限和自己新增的权限冲突,所以需要根据冲突原因修改对应的te文件限制。 

-neverallow { domain -coredomain } {
+neverallow { domain -coredomain -vendor_init } {


版权声明:本文为hanmengaidudu原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。