在日常工作中曾经遇到过添加各种各种读取属性,文件节点无权限。setenforce 0 之后,操作正常的,就可以确认为selinux权限问题了,下面记录曾经遇到过的权限问题
1. 最简单的一类就是按照万能公式缺什么,加什么权限。加完权限,编译也没报错,替换后也解决问题的
type=1400 audit(1698809417.118:102): avc: denied { read write } for comm="HwBinder:245_1" name="wake_lock" dev="sysfs" ino=4980 scontext=u:r:tvhalserver:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file permissive=1
type=1400 audit(1698809417.118:103): avc: denied { open } for comm="HwBinder:245_1" path="/sys/power/wake_lock" dev="sysfs" ino=4980 scontext=u:r:tvhalserver:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file permissive=1
语法:rule_name source_type target_type : class perm_set**
万能公式:
缺少什么权限:{ read write open}权限
谁缺少权限:scontext=u:r:tvhalserver:s0
对谁缺少权限:tcontext=u:object_r:sysfs_wake_lock:s0
什么类型:tclass=file
+++ b/sepolicy/tvhalserver.te
@@ -183,4 +183,9 @@ allow tvhalserver hal_tv_earc_default:binder { call };
allow tvhalserver hal_tv_earc_default:file { getattr };
allow tvhalserver userdata_file:dir { search read open getattr remove_name };
allow tvhalserver userdata_file:file { write ioctl lock };
+allow tvhalserver sysfs_wake_lock:file { open read write };
2.1 dac_override 添加权限后,编译出现never allow 的。比如下面这个
type=1400 audit(1698809417.118:101): avc: denied { dac_override } for comm="HwBinder:245_1" capability=1 scontext=u:r:tvhalserver:s0 tcontext=u:r:tvhalserver:s0 tclass=capability permissive=1
+++ b/sepolicy/tvhalserver.te
@@ -190,4 +190,6 @@ allow tvhalserver powerctl_prop:property_service { set };
allow tvhalserver hal_power_default:dir { search };
+allow tvhalserver tvhalserver:capability { dac_override };
编译的时候会出现nerverallow 报错:
libsepol.report_failure: neverallow on line 342 of system/sepolicy/private/domain.te (or line 40681 of policy.conf) violated by allow tvhal