SELinux .te 文件
2017-11-01 本文已影响296人
大大大寒
简单说明
android 在4.3之后引入了基于selinux的安全机制,称为SEAndroid.
手机厂商会 基于aosp的SeAndroid上定制公司自己的安全策略文件
遇到的问题
avc: denied { getattr } for pid=1840 comm="userfastboot" path="/dev/block/mmcblk0p10" dev="tmpfs" ino=10720 sconte" path="/dev/block/mmcblk0p10" dev="tmpfs" ino=10720 scontext=u:r:userfastboot:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=1
解决办法:
在device/xx/sepolicy/ xx.te文件中添加
allow userfastboot frp_block_device:blk_file getattr;
userfastboot -->scontext
frp_block_device-->tcontext
blk_file-->tclass
getattr 执行操作
遇到了此类问题记录一下 为了不透露公司内容,case是别人
相关链接
http://blog.leanote.com/post/wertherzhang/SELinux%E7%9A%84sepolicy%E8%A7%84%E5%88%99
http://m.blog.chinaunix.net/uid-29287191-id-4822257.html
wiki介绍
- rule_name
The applicable allow, dontaudit, auditallow, and neverallow rule keyword.
source_type / target_type
One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list - enclosed in braces ({}).
Entries can be excluded from the list by using the negative operator (-).
The target_type can have the self keyword instead of type, typealias or attribute identifiers. This means that the target_type is the same as the source_type.
The neverallow rule also supports the wildcard operator (*) to specify that all types are to be included and the complement operator (~) to specify all types are to be included except those explicitly listed. - class_object
One or more object classes. Multiple entries consist of a space separated list enclosed in braces ({}). - perm_set
The access permissions the source is allowed to access for the target object (also known as the Acess Vector). Multiple entries consist of a space separated list enclosed in braces ({}).
The optional wildcard operator (*) specifies that all permissions for the object class can be used.
The complement operator (~) is used to specify all permissions except those explicitly listed (although the compiler issues a warning if the dontaudit rule has ‘~’).