selinux
{
getenforce 串口命令查看权限
selinux=0 内核关闭 selinux
selinux=1 内核打开 selinux
android 系统 两种模式
androidboot.selinux=permissive 宽松
androidboot.selinux=enforcing 强制
getenforce
setenforce 0 命令,让 selinux 处于宽容模式
sn: getprop ro.serialno
mac: cat /sys/class/net/wlan0/address
相关文件
{
修改权限最好在device下客制化修改
device/xxx/xxx/sepolicy/
原始code的权限最好不要动
system/sepolicy/public/
system/sepolicy/prebuilts/api/xx/public/
}
设置文件 device/softwinner/eros-p1/BoardConfig.mk
BOARD_KERNEL_CMDLINE += selinux=1 androidboot.selinux=permissive androidboot.dtbo_idx=0,1,2
BOARD_KERNEL_CMDLINE += selinux=1 androidboot.selinux=enforcing androidboot.dtbo_idx=0,1,2
权限报错,类似提示
{
init: Unable to set property 'persist.standby.mode' to '1' from uid:1000 gid:1000 pid:7184: SELinux permission check failed
2.047169\] selinux: avc: denied { set } for scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 \[ 2.064680\] selinux: avc: denied { set } for scontext=u:r:vendor_init:s0 tcontext=u:object_r:config_prop:s0 tclass=property_service permissive=1 \[ 2.081488\] selinux: avc: denied { set } for scontext=u:r:vendor_init:s0 tcontext=u:object_r:exported2_default_prop:s0 tclass=property_service permissive=1 \[ 153.759885\] selinux: avc: denied { set } for property=persist.standby.mode pid=3928 uid=1000 gid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 \[ 178.937290\] selinux: avc: denied { set } for property=settings.notifi.count pid=2183 uid=1000 gid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 avc: denied { write } for name="light" dev="sysfs" ino=14600 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_gpio:s0 tclass=file permissive=0 } 方法一 修改 vendor/aw/homlet/sepolicy/property_contexts system/sepolicy/.../property_contexts { system_prop 对应的只能在 系统层app才能使用 ro.datamax.RomVersion u:object_r:system_prop:s0 persist.ota.server u:object_r:system_prop:s0 persist.standby.mode u:object_r:system_prop:s0 } 方法二 { 抓取相关log,提取权限名称。 dmesg\|grep avc 获取所有的avc 权限问题 logcat\|grep avc: \> /sdcard/avc.log linux工具 需要先 source build/envsetup.sh \& lunch audit2allow -i avc.log 源码中使用工具生成 { #============= hal_wifi_default ============== allow hal_wifi_default vendor_data_file:file getattr; #============= init ============== allow init settings_service:service_manager find; allow init system_file:file execute_no_trans; #============= system_app ============== allow system_app system_data_file:file { write read create }; } 根据生成的条件修改 te文件 system/sepolicy/public/system_app.te allow system_app system_data_file:dir { add_name write }; allow system_app system_data_file:file { create open write }; 报错提示: libsepol.report_failure: neverallow on line 458 of system/sepolicy/public/app.te (or line 8332 of policy.conf) violated by allow system_app system_data_file:dir { write }; libsepol.report_failure: neverallow on line 458 of system/sepolicy/public/app.te (or line 8332 of policy.conf) violated by allow system_app system_data_file:file { write create }; libsepol.check_assertions: 2 neverallow failures occurred 找到 app.te 中对应的 458 等行修改 { 原始: neverallow appdomain system_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; 修改后 1 neverallow appdomain -system_app system_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; 修改后 2 neverallow appdomain system_data_file:dir_file_class_set { setattr relabelfrom relabelto append unlink link rename }; } 报错提示: Files system/sepolicy/prebuilts/api/28.0/public/app.te and system/sepolicy/public/app.te differ 对比两个文件输入的字符,一个空格都要一致 编译测试 make selinux_policy } }