AVC 报错问题示例以及解决方案

AVC 报错问题示例以及解决方案

1. AVC报错实例:
    Line 4832: 12-28 10:33:21.680000  1726  1726 I rild    : type=1400 audit(0.0:59): avc: denied { execute } for name="pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
	Line 4833: 12-28 10:33:21.680000  1726  1726 I rild    : type=1400 audit(0.0:60): avc: denied { read open } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
	Line 4834: 12-28 10:33:21.680000  1726  1726 I rild    : type=1400 audit(0.0:61): avc: denied { execute_no_trans } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
	Line 4835: 12-28 10:33:21.690000  1726  1726 I pppd    : type=1400 audit(0.0:62): avc: denied { getattr } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
	Line 4835: 12-28 10:33:21.690000  1726  1726 I pppd    : type=1400 audit(0.0:62): avc: denied { getattr } for path="/system/bin/pppd" dev="dm-0" ino=357 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_exec:s0 tclass=file permissive=1
	Line 4838: 12-28 10:33:21.700988  1726  1726 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 4839: 12-28 10:33:21.701056  1726  1726 E pppd    : Sorry - this system lacks PPP kernel support
	Line 4889: 12-28 10:33:58.118905  1734  1734 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 4890: 12-28 10:33:58.119129  1734  1734 E pppd    : Sorry - this system lacks PPP kernel support
	Line 4923: 12-28 10:34:01.373867  1735  1735 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 4924: 12-28 10:34:01.374034  1735  1735 E pppd    : Sorry - this system lacks PPP kernel support
	Line 4925: 12-28 10:34:04.626659  1736  1736 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 4926: 12-28 10:34:04.626895  1736  1736 E pppd    : Sorry - this system lacks PPP kernel support
	Line 4927: 12-28 10:34:07.936232  1737  1737 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 4928: 12-28 10:34:07.936401  1737  1737 E pppd    : Sorry - this system lacks PPP kernel support
	Line 9884: 12-28 10:34:44.255467  1793  1793 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 9885: 12-28 10:34:44.255550  1793  1793 E pppd    : Sorry - this system lacks PPP kernel support
	Line 9886: 12-28 10:34:44.250000  1793  1793 I pppd    : type=1400 audit(0.0:64): avc: denied { read write } for name="ppp" dev="tmpfs" ino=9126 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_device:s0 tclass=chr_file permissive=1
	Line 9887: 12-28 10:34:44.250000  1793  1793 I pppd    : type=1400 audit(0.0:65): avc: denied { open } for path="/dev/ppp" dev="tmpfs" ino=9126 scontext=u:r:rild:s0 tcontext=u:object_r:ppp_device:s0 tclass=chr_file permissive=1
	Line 10713: 12-28 10:34:47.502166  1794  1794 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 10714: 12-28 10:34:47.502406  1794  1794 E pppd    : Sorry - this system lacks PPP kernel support
	Line 11286: 12-28 10:34:50.770849  1807  1807 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
	Line 11287: 12-28 10:34:50.771091  1807  1807 E pppd    : Sorry - this system lacks PPP kernel support
	Line 11739: 12-28 10:34:54.087086  1809  1809 E pppd    : Couldn't open the /dev/ppp device: Operation not permitted
2.如何消除这样的不通过

上处avc不通过,可以在/external/sepolicy/ 目录下,新建一个test.te
在test.te 中写入,allow rmt kmem_device:chr_file {read write},
重新编译策略语言,刷机即可;

但是当avc很多时,人工去看容易出错且慢,我们可以使用工具来完成这项工作;

selinux/policycoreutils/audit2allow环境搭建:
测试电脑的配置是:unbutu 12.04
step 1:在 ubuntu中安装policycoreutils
sudo apt-get install policycoreutils

step 2 : 使用audit2allow 工具完成策略语言:
audit2allow -i filename

例如上诉avc语句就会输出:

#============= mobile_log_d ==============
allow mobile_log_d mtk_em_ril_apnchange_prop:file { getattr open };
allow mobile_log_d sys_rpmb_ready_prop:file { getattr open };

#============= rild ==============
allow rild system_data_file:file write;

#============= untrusted_app ==============
allow untrusted_app anr_data_file:dir read;
allow untrusted_app debugfs:dir { read open };
allow untrusted_app debugfs:file { read getattr open };
allow untrusted_app device_logging_prop:file { getattr open };
allow untrusted_app mmc_prop:file { getattr open };
allow untrusted_app mtk_em_ril_apnchange_prop:file { getattr open };
allow untrusted_app safemode_prop:file { getattr open };
allow untrusted_app sys_rpmb_ready_prop:file { getattr open };
allow untrusted_app sysfs:file { read getattr open };

把生成的语言添加到对应的 te文件中,重新编译验证。

你可能感兴趣的:(【Android编程】,【工作常用命令】)