构建 AOSP 自定义 rom
[英]Build AOSP custom rom
问题描述
I'm trying to build enforcing, but I had 7 violations.
我正在尝试建立强制执行,但我有 7 次违规。 How can I fix?我该如何解决?
libsepol.report_failure: neverallow on line 5 of device/motorola/sanders/sepolicy/vendor/ims.te (or line 75926 of
policy.conf) violated by allow hal_camera_default hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow hal_secure_element_default hal_secure_element_hwservice:hwservice_man
ager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow rild hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_secure_element.te (or line 15685 of p
olicy.conf) violated by allow hal_nfc_default hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_camera.te (or line 14186 of policy.co
nf) violated by allow init hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 521 of system/sepolicy/public/domain.te (or line 10809 of policy.conf
) violated by allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 519 of system/sepolicy/public/domain.te (or line 10807 of policy.conf
) violated by allow qseeproxy default_android_service:service_manager { add };
libsepol.check_assertions: 7 neverallow failures occurred
1 个解决方案
解决方案1
1 2019-10-03 02:01:29
You are dealing with neverallow violations: You have a rule that says "Never allow type x to do action on some other type/class y:c " and then another rule that says "This subtype of x is allowed to do action on y:c ".您正在处理neverallow违规:您有一条规则说“永远不允许类型x对某些其他类型/类y:c执行action ”,然后另一条规则说“允许x的此子类型对 y 执行action y:c "。 The SE Linux compiler will reject these contradictory rules. SE Linux 编译器将拒绝这些相互矛盾的规则。 This can be solved by modifying the neverallow rule to make an exception for the specific subtype you want to allow.这可以通过修改neverallow规则来解决您想要允许的特定子类型的例外情况。
More precisely, if you have rules of the form:更准确地说,如果您有以下形式的规则:
-
neverallow xy:c action; -
type z, x;(meaningzis a special case ofx)(意思是z是x的一个特例) -
allow zy:c action;
Modify the first rule to neverallow {x -z} y:class action;修改第一条规则为neverallow {x -z} y:class action; to make an exception for the subtype z .为子类型z做一个例外。
Example:例子:
Link :
neverallow { domain... -installd} staging_data_file:dir *;链接: neverallow { domain... -installd} staging_data_file:dir *;says objects of typedomainshould not be allowed to access objects of typestaging_data_fileand classdir.表示不应允许domain类型的对象访问staging_data_file和 classdir类型的对象。 However, it makes an exception for typeinstalld.但是,类型installd例外。Link :
type installd, domain;链接: type installd, domain;definesinstalldto be a special case ofdomain.将installd定义为domain的一个特例。Link :
allow installd staging_data_file:dir { open... };链接: allow installd staging_data_file:dir { open... };allowsinstalldto do actionopenon objects of typestaging_data_fileand classdir.允许installd对staging_data_file和 classdir类型的对象执行open操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.