SELinux .te 文件

简单说明

android 在4.3之后引入了基于selinux的安全机制,称为SEAndroid.

手机厂商会 基于aosp的SeAndroid上定制公司自己的安全策略文件

遇到的问题

avc:  denied  { getattr } for  pid=1840 comm="userfastboot" path="/dev/block/mmcblk0p10" dev="tmpfs" ino=10720 sconte" path="/dev/block/mmcblk0p10" dev="tmpfs" ino=10720 scontext=u:r:userfastboot:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=1

解决办法:
在device/xx/sepolicy/ xx.te文件中添加

allow userfastboot frp_block_device:blk_file getattr; 

userfastboot -->scontext
frp_block_device-->tcontext
blk_file-->tclass
getattr 执行操作

遇到了此类问题记录一下 为了不透露公司内容,case是别人

相关链接
http://blog.leanote.com/post/wertherzhang/SELinux%E7%9A%84sepolicy%E8%A7%84%E5%88%99

http://m.blog.chinaunix.net/uid-29287191-id-4822257.html

wiki介绍

  • rule_name
    The applicable allow, dontaudit, auditallow, and neverallow rule keyword.
    source_type / target_type
    One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list
  • enclosed in braces ({}).
    Entries can be excluded from the list by using the negative operator (-).
    The target_type can have the self keyword instead of type, typealias or attribute identifiers. This means that the target_type is the same as the source_type.
    The neverallow rule also supports the wildcard operator (*) to specify that all types are to be included and the complement operator (~) to specify all types are to be included except those explicitly listed.
  • class_object
    One or more object classes. Multiple entries consist of a space separated list enclosed in braces ({}).
  • perm_set
    The access permissions the source is allowed to access for the target object (also known as the Acess Vector). Multiple entries consist of a space separated list enclosed in braces ({}).
    The optional wildcard operator (*) specifies that all permissions for the object class can be used.
    The complement operator (~) is used to specify all permissions except those explicitly listed (although the compiler issues a warning if the dontaudit rule has ‘~’).

你可能感兴趣的:(SELinux .te 文件)