当我为时间戳过程创建新的域类型时,我遇到了一个SEAndroid问题,但是Neverallow仍然存在一些冲突问题。
有人可以给我提示或提示吗?请参阅以下说明。
AVC拒绝日志:
[120.810387]类型= 1400审核(932699.049:188):AVC:拒绝{execute_no_trans} for pid = 3875 comm =“ system_server” path =“ / system / bin / sh” dev =“ mmcblk0p47” ino = 791 scontext = u: r:system_server:s0 tcontext = u:object_r:shell_exec:s0 tclass =文件许可= 1
[120.827670]类型= 1400审核(932699.049:188):AVC:拒绝{execute_no_trans} for pid = 3875 comm =“ system_server” path =“ / system / bin / sh” dev =“ mmcblk0p47” ino = 791 scontext = u: r:system_server:s0 tcontext = u:object_r:shell_exec:s0 tclass =文件许可= 1
[120.827684]类型= 1400审核(932699.069:189):AVC:拒绝{getattr} for pid = 3877 comm =“ sh” path =“ / system / bin / timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u: r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.828287]类型= 1400审核(932699.069:189):avc:对于pid = 3877 comm =“ sh” path =“ / system / bin / timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u拒绝{getattr}: r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.828300]类型= 1400审核(932699.069:190):AVC:拒绝{执行} pid = 3877 comm =“ sh” name =“ timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u:r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.828593]类型= 1400审核(932699.069:190):AVC:拒绝{执行} pid = 3877 comm =“ sh” name =“ timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u:r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.828607]类型= 1400审核(932699.069:191):AVC:拒绝{读取打开} pid = 3877 comm =“ sh” path =“ / system / bin / timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u :r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.828981]类型= 1400审核(932699.069:191):AVC:拒绝{读取打开} pid = 3877 comm =“ sh” path =“ / system / bin / timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u :r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.828996]类型= 1400审核(932699.069:192):AVC:拒绝{execute_no_trans} for pid = 3877 comm =“ sh” path =“ / system / bin / timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u: r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.845574]类型= 1400审核(932699.069:192):AVC:拒绝{execute_no_trans} for pid = 3877 comm =“ sh” path =“ / system / bin / timestamp” dev =“ mmcblk0p47” ino = 832 scontext = u: r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
[120.845587]类型= 1400审核(932699.089:193):AVC:拒绝{execute_no_trans} for pid = 3879 comm =“ sh” path =“ / system / bin / dumpsys” dev =“ mmcblk0p47” ino = 570 scontext = u: r:system_server:s0 tcontext = u:object_r:system_file:s0 tclass =文件许可= 1
我的时间戳记:type timestamp, domain;type timestamp_exec, exec_type, file_type;init_daemon_domain(timestamp)
我的file_contexts:
/system/bin/timestamp u:object_r:timestamp_exec:s0
我的system_server.te:
allow system_server timestamp_exec:file { execute_no_trans getattr execute read open };
编译器失败的日志:
失败:out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy
/ bin / bash -c“(out / host / linux-x86 / bin / secilc -M true -G -c 30 out / target / product / msm8996 / obj / ETC / plat_sepolicy.cil_intermediates / plat_sepolicy.cil out / target / product / msm8996 / obj / ETC / 26.0.cil_intermediates / 26.0.cil out / target / product / msm8996 / obj / ETC / nonplat_sepolicy.cil_intermediates / nonplat_sepolicy.cil -o out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.tmp -f / dev / null)&&(out / host / linux-x86 / bin / sepolicy-analyze out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.tmp允许> out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.permissivedomains)&&(如果[\“ userdebug \” = \“ user \” -a -s out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.permissivedomains];然后echo \“ ========== \” 1>&2; echo \“错误:用户版本中不允许的允许域\” 1>&2; echo \“无效域列表:\” 1> &2;退出/目标/产品/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.p发射域1>&2; 1号出口; fi)&&(mv out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.tmp out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy)”
在系统/sepolicy/private/system_server.te:704的out / target / product / msm8996 / obj / ETC / plat_sepolicy.cil_intermediates / plat_sepolicy.cil:12033上,永不通过检查失败
(绝对不允许system_server base_typeattr_218(文件(execute_no_trans)))
允许在out / target / product / msm8996 / obj / ETC / nonplat_sepolicy.cil_intermediates / nonplat_sepolicy.cil:7533
(允许system_server_26_0 timestamp_exec(文件(读取getattr execute execute_no_trans打开)))
无法生成二进制
无法建立policydb
最佳答案
请尝试在“类型时间戳,域”的末尾添加“ mlstrustedsubject,coredomain”;
- type timestamp, domain;
+ type timestamp, domain, mlstrustedsubject, coredomain;
关于android-source - SEAndroid:如何修复不允许的域,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/47967200/