构建AOSP定制rom

时间:2019-10-02 23:51:15

标签: android build android-source selinux

我正在尝试构建强制实施,但是我有7次违规。我该如何解决?

libsepol.report_failure: neverallow on line 5 of device/motorola/sanders/sepolicy/vendor/ims.te (or line 75926 of
 policy.conf) violated by allow hal_camera_default hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow hal_secure_element_default hal_secure_element_hwservice:hwservice_man
ager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow rild hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_secure_element.te (or line 15685 of p
olicy.conf) violated by allow hal_nfc_default hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_camera.te (or line 14186 of policy.co
nf) violated by allow init hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 521 of system/sepolicy/public/domain.te (or line 10809 of policy.conf
) violated by allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 519 of system/sepolicy/public/domain.te (or line 10807 of policy.conf
) violated by allow qseeproxy default_android_service:service_manager { add };
libsepol.check_assertions: 7 neverallow failures occurred

1 个答案:

答案 0 :(得分:1)

您正在处理违反neverallow的情况:您有一条规则说:“切勿对其他类型/类x进行action的操作y:c”,然后另一条规则“允许x的此子类型在action上执行y:c”。 SE Linux编译器将拒绝这些矛盾的规则。可以通过修改neverallow规则以使要允许的特定子类型成为例外来解决此问题。

更准确地说,如果您具有以下形式的规则:

  1. neverallow x y:c action;
  2. type z, x;(意味着zx的特例)
  3. allow z y:c action;

将第一个规则修改为neverallow {x -z} y:class action;,以使子类型z成为例外。

示例:

  1. Linkneverallow { domain ... -installd} staging_data_file:dir *;说类型domain的对象不应被允许访问类型staging_data_file和类dir的对象。但是,它是类型installd的例外。

  2. Linktype installd, domain;installd定义为domain的特例。

  3. Linkallow installd staging_data_file:dir { open ... };允许installd对类型open和类staging_data_file的对象执行操作dir。 p>

相关问题
最新问题