一、适用情景当在init.rc中新增service: <span style='font-family:SimSun;'>service ro_isn /system/bin/isn.sh class late_start user root Oneshot</span> kernel log会打印以下log: Warning! Service ro_isn needs a SELinux domain defined; please fix! 这是因为Service ro_isn没有在SELinux的监控之下,这种情况会提示你定义一个SELinux。 在这种情况下,你可以: 1.无视该条log,Service功能不受影响。各种权限不受限制。但是这样做会有风险。 2.为Service ro_isn定义一个SELinux domain,仅添加需要的权限,未允许的权限操作会被拒绝。具体方法请参照下节。
二、解决方法1.在devices/qcom/sepolicy/common/目录下新增ro_isn.te文件,内容如下:type ro_isn, domain; type ro_isn_exec, exec_type, file_type;
2.在devices/qcom/sepolicy/Android.mk中添加ro_isn.te文件,内容如下:BOARD_SEPOLICY_UNION := ... hostapd.te ro_isn.te
3.在devices/qcom/sepolicy/common/file_contexts中增加如下内容:################################### # System files # ... /system/vendor/bin/slim_ap_daemon u:object_r:location_exec:s0 /system/bin/isn.sh u:object_r:ro_isn_exec:s0
4.在init.rc中service ro_isn下添加secure context by seclabelservice ro_isn /system/bin/isn.sh class late_start user root oneshot seclabel u:r:ro_isn:s0
5.编译并烧录bootimage6.如果编译不成功,失败原因如下:Error while expanding policy libsepol.check_assertion_helper: neverallow on line 233 of external/sepolicy/domain.te (or line 5194 of policy.conf) violated by allow ro_isn system_file:file { entrypoint }; make: *** [out/target/product/msm8226/obj/ETC/sepolicy_intermediates/sepolicy] 错误 1 这是因为系统在domain.te中定义了全局的neverallow策略,与ro_isn.te中allow的策略有冲突: allow ro_isn system_file:file { entrypoint }; neverallow domain { file_type -exec_type }:file entrypoint;
请确定自己的service有必要需要这个权限。如无必要,请在自己的code中删除掉相关操作;如必要,可以在external/sepolicy/domain.te中冲突的neverallow语句中添加自己为例外: neverallow { domain -ro_isn } { file_type -exec_type }:file entrypoint;
7.在service ro_isn运行时,搜索关于“ro_isn”的avc: denied log<6>[ 13.547188](CPU:0-pid:320:logd.auditd) type=1400 audit(17468992.410:7): avc: denied { entrypoint } for pid=272 comm='init' path='/system/bin/isn.sh' dev='mmcblk0p38' ino=631 scontext=u:r:ro_isn:s0 tcontext=u:object_r:system_file:s0 tclass=file
8.按照如下规则在ro_isn.te添加权限SELinux规则语句一般如下: 比如这行warning log: avc: denied { entrypoint } for pid=272 comm='init' path='/system/bin/isn.sh' dev='mmcblk0p38' ino=631 scontext=u:r:ro_isn:s0 tcontext=u:object_r:system_file:s0 tclass=file 那么我们就得出最后的规则是: allow qcomsysd block_device:dir { search }; allow ro_isn system_file:file { entrypoint };
9.重复步骤5-8,直到没有关于“ro_isn”的avc: denied log |
|