构建AOSP定制rom [英] Build AOSP custom rom
问题描述
我正在尝试构建强制实施,但是我有7次违规.我该如何解决?
I'm trying to build enforcing, but I had 7 violations. How can I fix?
libsepol.report_failure: neverallow on line 5 of device/motorola/sanders/sepolicy/vendor/ims.te (or line 75926 of
policy.conf) violated by allow hal_camera_default hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow hal_secure_element_default hal_secure_element_hwservice:hwservice_man
ager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow rild hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_secure_element.te (or line 15685 of p
olicy.conf) violated by allow hal_nfc_default hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_camera.te (or line 14186 of policy.co
nf) violated by allow init hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 521 of system/sepolicy/public/domain.te (or line 10809 of policy.conf
) violated by allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 519 of system/sepolicy/public/domain.te (or line 10807 of policy.conf
) violated by allow qseeproxy default_android_service:service_manager { add };
libsepol.check_assertions: 7 neverallow failures occurred
推荐答案
您正在处理neverallow违规问题:您有一条规则说:切勿允许类型x在其他类型/类上执行action y:c",然后另一个规则说允许x的此子类型在y:c上执行action". SE Linux编译器将拒绝这些矛盾的规则.可以通过修改neverallow规则为要允许的特定子类型设置例外来解决此问题.
You are dealing with neverallow violations: You have a rule that says "Never allow type x to do action on some other type/class y:c" and then another rule that says "This subtype of x is allowed to do action on y:c". The SE Linux compiler will reject these contradictory rules. This can be solved by modifying the neverallow rule to make an exception for the specific subtype you want to allow.
更准确地说,如果您具有以下形式的规则:
More precisely, if you have rules of the form:
-
neverallow x y:c action; -
type z, x;(意味着z是x的特例) -
allow z y:c action;
neverallow x y:c action;type z, x;(meaningzis a special case ofx)allow z y:c action;
将第一个规则修改为neverallow {x -z} y:class action;,以使子类型z例外.
Modify the first rule to neverallow {x -z} y:class action; to make an exception for the subtype z.
示例:
Link:
neverallow { domain ... -installd} staging_data_file:dir *;says objects of typedomainshould not be allowed to access objects of typestaging_data_fileand classdir. However, it makes an exception for typeinstalld.
链接:type installd, domain;将installd定义为domain的特例.
链接:allow installd staging_data_file:dir { open ... };允许installd对类型staging_data_file和类dir的对象执行操作open.
Link: allow installd staging_data_file:dir { open ... }; allows installd to do action open on objects of type staging_data_file and class dir.
这篇关于构建AOSP定制rom的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
