Question

当我为我的时间戳进程创建一个新的域类型时，我遇到了一些SEAndroid问题，但是neverallow仍然存在一些冲突问题。有人能给我一个提示或线索吗？请参阅以下说明。

avc否认日志：

[120.810387] type = 1400 audit（932699.049：188）：avc：拒绝{execute_no_trans} for pid = 3875 comm =＆＃34; system_server＆＃34;路径=＆＃34; /系统/ bin / sh的＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 791 scontext = u：r：system_server：s0 tcontext = u：object_r：shell_exec：s0 tclass = file permissive = 1 [120.827670] type = 1400 audit（932699.049：188）：avc：拒绝{execute_no_trans} for pid = 3875 comm =＆＃34; system_server＆＃34;路径=＆＃34; /系统/ bin / sh的＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 791 scontext = u：r：system_server：s0 tcontext = u：object_r：shell_exec：s0 tclass = file permissive = 1 [120.827684] type = 1400 audit（932699.069：189）：avc：denied {getattr} for pid = 3877 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.828287] type = 1400 audit（932699.069：189）：avc：denied {getattr} for pid = 3877 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.828300] type = 1400 audit（932699.069：190）：avc：拒绝{execute} for pid = 3877 comm =＆＃34; sh＆＃34;命名=＆＃34;时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.828593] type = 1400 audit（932699.069：190）：avc：拒绝{execute} for pid = 3877 comm =＆＃34; sh＆＃34;命名=＆＃34;时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.828607] type = 1400 audit（932699.069：191）：avc：拒绝{read open} for pid = 3877 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.828981] type = 1400 audit（932699.069：191）：avc：拒绝{read open} for pid = 3877 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.828996] type = 1400 audit（932699.069：192）：avc：拒绝{execute_no_trans} for pid = 3877 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.845574] type = 1400 audit（932699.069：192）：avc：拒绝{execute_no_trans} for pid = 3877 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/时间戳＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 832 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1 [120.845587] type = 1400 audit（932699.089：193）：avc：拒绝{execute_no_trans} for pid = 3879 comm =＆＃34; sh＆＃34;路径=＆＃34; /系统/斌/ dumpsys＆＃34; dev的=＆＃34; mmcblk0p47＆＃34; ino = 570 scontext = u：r：system_server：s0 tcontext = u：object_r：system_file：s0 tclass = file permissive = 1

我的时间戳.te：

type timestamp, domain; type timestamp_exec, exec_type, file_type; init_daemon_domain(timestamp)

我的file_contexts：

/system/bin/timestamp        u:object_r:timestamp_exec:s0

我的system_server.te：

allow system_server timestamp_exec:file { execute_no_trans getattr execute read open };

编译器失败的日志：

失败：out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy / bin / bash -c＆＃34;（out / host / linux-x86 / bin / secilc -M true -G -c 30 out / target / product / msm8996 / obj / ETC / plat_sepolicy.cil_intermediates / plat_sepolicy.cil out /target/product/msm8996/obj/ETC/26.0.cil_intermediates/26.0.cil out / target / product / msm8996 / obj / ETC / nonplat_sepolicy.cil_intermediates / nonplat_sepolicy.cil -o out / target / product / msm8996 / obj / ETC /sepolicy_intermediates/sepolicy.tmp -f / dev / null）＆amp;＆amp; （out / host / linux-x86 / bin / sepolicy-analyze out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.tmp permissive＆gt; out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy。 permissivedomains）＆amp;＆amp; （如果[\＆＃34; userdebug \＆＃34; = \＆＃34; user \＆＃34; -a -s out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.permissivedomains];则echo \＆＃34; ========== \＆＃34; 1＆gt;＆amp; 2; echo \＆＃34; ERROR：用户构建中不允许的允许域\＆＃34; 1＆gt;＆amp; ; 2; echo \＆＃34;无效域列表：\＆＃34; 1＆gt;＆amp; 2; cat out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.permissivedomains 1＆gt;＆amp; 2;退出1; fi）＆amp;＆amp; （mv out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy.tmp out / target / product / msm8996 / obj / ETC / sepolicy_intermediates / sepolicy）＆＃34; neverallow check out out out / target / product / msm8996 / obj / ETC / plat_sepolicy.cil_intermediates / plat_sepolicy.cil：12033 from system / sepolicy / private / system_server.te:704 （neverallow system_server base_typeattr_218（file（execute_no_trans）））允许at out / target / product / msm8996 / obj / ETC / nonplat_sepolicy.cil_intermediates / nonplat_sepolicy.cil:7533 （允许system_server_26_0 timestamp_exec（文件（读取getattr执行execute_no_trans打开）））无法生成二进制文件无法构建policydb

Answer 1

请尝试在“type timestamp，domain;”的末尾添加“mlstrustedsubject，coredomain”。

-    type timestamp, domain;

+    type timestamp, domain, mlstrustedsubject, coredomain;

SEAndroid：如何修复不允许的许可域名

1 个答案: