更新 Android 9 SELinux 策略以允许系统应用程序进行 OTA 更新

Question

I'm currently involved with developing a system kiosk app on an Android 9 custom OS. We've noticed an issue similar to this question while attempting OTA updates: https://stackoverflow.com/a/55748901

To sum up, SElinux policies seem to prevent system apps (running as system process) to carry out certain tasks required for the OTA update. As the source code is fully in our control I'm hoping to modify the SELinux policies to allow the denials below:

avc: denied { remove_name } for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied { getattr } for path="/cache/recovery/uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied { dac_read_search } for capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1

So far I have updated devices system_app.te file to add the actions listed to the allow lists but I had a long string of SELinux related build errors on attempting to rebuild.

system_app.te:

typeattribute system_app system_writes_vendor_properties_violators;

set_prop(system_app, vendor_bluetooth_prop)
get_prop(system_app, vendor_default_prop)

allow system_app system_app_data_file:notdevfile_class_set rw_file_perms;
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
allow system_app cache_file:dir { rw_file_perms add_name create search };
allow system_app cache_file:file  { rw_file_perms create };
allow system_app caam_device:chr_file  rw_file_perms;
allow system_app net_radio_prop:property_service  { set };
allow system_app net_radio_prop:property_service  { set };
allow system_app ctl_default_prop:property_service  { set };
allow system_app dhcp_prop:property_service  { set };
allow system_app net_dns_prop:property_service  { set };
allow system_app http_proxy_prop:property_service  { set };
allow system_app net_dns_prop:file { read } ;
allow system_app update_engine:binder { call transfer };
allow system_app vendor_file:file { read open getattr };
allow system_app fs_bpf:dir { search };
allow system_app sysfs_leds:dir search;
allow system_app sysfs_slate:file { getattr open read write };
allow system_app slate_crs_device:chr_file { open read write };
allow system_app selinuxfs:file { read open };
allow system_app config_gz:file { read open getattr };
allow system_app proc:file { open read };

Resulting Error Logs from AOSP Build:

[ 29% 18768/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c        30 -o out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42513:
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 29% 18769/64380] build out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
FAILED: out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy 
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c         30 -o out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then       echo \"==========\" 1>&2;       echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;         echo \"List of invalid domains:\" 1>&2;         cat out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2;       exit 1;         fi ) && (mv out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42942:
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 29% 18770/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy:  policy configuration loaded
out/host/linux-x86/bin/checkpolicy:  writing CIL to out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[ 29% 18771/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_output_stream.cc
[ 29% 18772/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_data.cc
[ 29% 18773/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/readable_font_data.cc
[ 29% 18774/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/port/memory_input_stream.cc
[ 29% 18775/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/growable_memory_byte_array.cc
ninja: build stopped: subcommand failed.
21:53:56 ninja failed with: exit status 1

#### failed to build some targets (20:25 (mm:ss)) ####

Grateful for any advice on how to go about customising these policies correctly.

Answer 1

According to your denials, the policies should be

allow system_app cache_recovery_file:dir create_dir_perms;
allow system_app cache_recovery_file:file create_file_perms;

See global macros defined here

Also a good way of resolving SELinux denials is searching for them on github and see how other people resolved. Take a look at this example which had a similar denial to yours