需要一些有关Android SELinux构建错误的指南 [英] Need some Guide with a Android SELinux Build Error
问题描述
im目前正在尝试在RockPi 4上使用Quectel EC25 LTE编译Android9。
但是目前,我在SELinux实施方面陷入困境。
EC25 RIL指南告诉我将以下文件修改/添加到src树。
im currently trying to compile Android 9 with an Quectel EC25 LTE on the RockPi 4. But currently i'm stuck at the SELinux implementation. The EC25 RIL Guide tells me to modify/add the following Files to the src tree.
- ($ Android_src)/system/core/rootdir/ueventd.rc
#quectel port
/dev/ttyUSB* 0660 radio radio
/dev/cdc-wdm* 0660 radio radio
/dev/qcqmi* 0660 radio radio
/dev/cdc-acm* 0660 radio radio
- ($ Android_src)/ external / sepolicy / file_contexts
/dev/ttyUSB[0-9]* u:object_r:tty_device:s0
/dev/ttyACM[0-9]* u:object_r:tty_device:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/socket/rild u:object_r:rild_socket:s0
/system/socket/rild-debug u:object_r:rild_debug_socket:s0
/system/bin/pppd u:object_r:pppd_exec:s0
/dev/ppp u:object_r:ppp_device:s0
- ($ Android_src)/external/sepolicy/rild.te
allow rild default_prop:property_service set;
allow rild device:chr_file { read write ioctl open getattr };
allow rild kernel:system module_request;
allow rild net_radio_prop:property_service set;
allow rild ppp_device:chr_file { read write ioctl open };
allow rild ppp_exec:file { read execute open execute_no_trans };
allow rild radio_prop:property_service set;
allow rild self:capability { net_admin setuid };
allow rild shell_exec:file { read execute open execute_no_trans };
allow rild sysfs_wake_lock:file { open read write };
allow rild system_file:file execute_no_trans;
allow rild system_prop:property_service set;
运行后使我得到以下错误:
after running make i get the following Error:
FAILED: out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10484 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10370 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 4% 449/10291] build out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10425 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10311 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 4% 450/10291] //bionic/libc:libc_bionic_ndk clang++ bionic/bionic_systrace.cpp [arm]
ninja: build stopped: subcommand failed.
10:24:06 ninja failed with: exit status 1
我不熟悉
我们将不胜感激,
rgds
推荐答案
您的允许规则对于Android来说太通用了。
Your allow rules are too generic for Android.
从不记录规则。查看 system / sepolicy / public / domain.te:532
和 system / sepolicy / public / domain.te:418
从您的错误消息中:
The neverallow rules are quite well documented. Look at system/sepolicy/public/domain.te:532
and system/sepolicy/public/domain.te:418
from your error message:
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
您需要找出哪些物业 rild
必须设置然后添加更具体的允许规则。检查现有的 property_contexts
文件是否已经为类型 rild
所需的属性分配类型,或者自己创建它们。
要访问 rild
的设备,需要执行相同的操作。
You need to find out which properties rild
has to set and then add a more specific allow rule. Check if existing property_contexts
files already assign a type to the properties rild
needs or create them yourself.
The same needs to be done for the devices rild
wants to access.
注意: system / sepolicy / public / te_macros
中有一些宏,这些宏会使您的 rild.te
更多可读的。示例:将 allow rild default_prop:property_service set
替换为 set_prop(rild,default_prop)
。
Note: There are macros at system/sepolicy/public/te_macros
which would make your rild.te
more readable. Example: replace allow rild default_prop:property_service set
with set_prop(rild, default_prop)
.
这篇关于需要一些有关Android SELinux构建错误的指南的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!