selinux问题判断:
1 日志查看:
logcat -b all 查看所有日志
如果自己程序有类似如下的avc:denied打印,基本上可以认为有selinux问题,这里有avc: denied相关的关键字
I Thread-2: type=1400 audit(0.0:53): avc: denied { search } for name="leds" dev="sysfs" ino=26711 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
2 再次验证是否selinux影响
可以adb shell setEnforce 0 关闭selinux限制看看是否功能正常
selinux问题修改方式:
相关问题日志:
I Thread-2: type=1400 audit(0.0:53): avc: denied { search } for name=“leds” dev=“sysfs” ino=26711 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
这里表示成了一种更加直观的语句如下:
avc: denied { 操作 } for name=“leds” dev=“sysfs” ino=26711 scontext=u:r:主体type:s0:c512,c768 tcontext=u:object_r:客体type:s0 tclass=客体类别 permissive=1
最简单allow语句:
allow 主体type 客体type :客体类别 {操作权限}
手写方式:
allow platform_app sysfs_leds:dir search
自动生成相关的te的audit2allow工具:
sudo apt-get install policycoreutils
sudo apt-get install policycoreutils-python-utils
test@test:~/tmp$ audit2allow -i input.txt -o out.txt
ValueError: You must specify the -p option with the path to the policy file.
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/bin/audit2allow", line 381, in <module>
app.main()
File "/usr/bin/audit2allow", line 365, in main
audit2why.init()
SystemError: <built-in function init> returned a result with an error set
上面错误需要进行修改一下audit2allow源码:
sudo vi /usr/bin/audit2allow
屏蔽上面四行代码
最后工具帮我们写好如下:
test@test:~/tmp$ audit2allow -i input-1.txt
#============= platform_app ==============
allow platform_app sysfs_leds:dir search;
selinux的编译和验证方式:
1、编译make selinux_policy
2、验证:
adb push ./out/target/product/XXX/system/etc/selinux/* /system/etc/selinux/
adb push ./out/target/product/XXX/vendor/etc/selinux/* /vendor/etc/selinux/
adb push ./out/target/product/XXX/system/system_ext/etc/selinux/* /system/system_ext/etc/selinux/
adb push ./out/target/product/XXX/system/product/etc/selinux/* /system/product/etc/selinux/
adb push ./out/target/product/XXX/root/sepolicy /
更多framework干货课程优惠获取相关可以+V(androidframework007)