[英]Build AOSP custom rom
I'm trying to build enforcing, but I had 7 violations.我正在尝试建立强制执行,但我有 7 次违规。 How can I fix?
我该如何解决?
libsepol.report_failure: neverallow on line 5 of device/motorola/sanders/sepolicy/vendor/ims.te (or line 75926 of
policy.conf) violated by allow hal_camera_default hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow hal_secure_element_default hal_secure_element_hwservice:hwservice_man
ager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow rild hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_secure_element.te (or line 15685 of p
olicy.conf) violated by allow hal_nfc_default hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_camera.te (or line 14186 of policy.co
nf) violated by allow init hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 521 of system/sepolicy/public/domain.te (or line 10809 of policy.conf
) violated by allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 519 of system/sepolicy/public/domain.te (or line 10807 of policy.conf
) violated by allow qseeproxy default_android_service:service_manager { add };
libsepol.check_assertions: 7 neverallow failures occurred
You are dealing with neverallow
violations: You have a rule that says "Never allow type x
to do action
on some other type/class y:c
" and then another rule that says "This subtype of x
is allowed to do action
on y:c
".您正在处理
neverallow
违规:您有一条规则说“永远不允许类型x
对某些其他类型/类y:c
执行action
”,然后另一条规则说“允许x
的此子类型对 y 执行action
y:c
"。 The SE Linux compiler will reject these contradictory rules. SE Linux 编译器将拒绝这些相互矛盾的规则。 This can be solved by modifying the
neverallow
rule to make an exception for the specific subtype you want to allow.这可以通过修改
neverallow
规则来解决您想要允许的特定子类型的例外情况。
More precisely, if you have rules of the form:更准确地说,如果您有以下形式的规则:
neverallow xy:c action;
type z, x;
(meaning z
is a special case of x
) z
是x
的一个特例)allow zy:c action;
Modify the first rule to neverallow {x -z} y:class action;
修改第一条规则为
neverallow {x -z} y:class action;
to make an exception for the subtype z
.为子类型
z
做一个例外。
Example:例子:
Link : neverallow { domain... -installd} staging_data_file:dir *;
链接:
neverallow { domain... -installd} staging_data_file:dir *;
says objects of type domain
should not be allowed to access objects of type staging_data_file
and class dir
.表示不应允许
domain
类型的对象访问staging_data_file
和 class dir
类型的对象。 However, it makes an exception for type installd
.但是,类型
installd
例外。
Link : type installd, domain;
链接:
type installd, domain;
defines installd
to be a special case of domain
.将
installd
定义为domain
的一个特例。
Link : allow installd staging_data_file:dir { open... };
链接:
allow installd staging_data_file:dir { open... };
allows installd
to do action open
on objects of type staging_data_file
and class dir
.允许
installd
对staging_data_file
和 class dir
类型的对象执行open
操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.