stackoom
  简体   繁体   中英

AndroidP-SELinux Permission Denied for a new created service

 原文  2020-09-18 07:37:10       android/ linux/ permissions/ selinux/ cts

Question

when i add a new service, and find the error as follow:

SELinux : avc:  denied  { add } for service=xxxManagerService pid=3798 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

then i add allow in system_server.te :

allow system_server default_android_service:service_manager { add };

but build error happened:

libsepol.report_failure: neverallow on line 517 of system/sepolicy/public/domain.te (or line 10355 of policy.conf) violated by allow system_server default_android_service:service_manager { add };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/sti6030d111/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 11% 22/200] target thumb C++: libpqcontrol <= vendor/amlogic/common/frameworks/services/systemcontrol/PQ/SSMAction.cpp

what should i do to make it, and pass cts.

1 answers

solution1
 1  2020-09-24 18:34:53

Android comes with a long list of neverallow rules that make sure you don't give permissions which break the security of your device. Fortunately, these neverallow rules are well documented in the code. If you look up line 517 in system/sepolicy/public/domain.te you'll find this:

Do not allow service_manager add for default service labels. Instead domains should use a more specific type such as system_app_service rather than the generic type. New service_types are defined in {,hw,vnd}service.te and new mappings from service name to service_type are defined in {,hw,vnd}service_contexts.

You probably used the audit2allow to create the rule. This seems to be an easy solution at first, but it will almost always result in rule set that is hard to read. In the end there is no other way than understanding the basics of SELinux in Android.

See here for more information.

I cannot give you an example of what to do now as the things you need to do depend on the type of service you want to add.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SELinux Permission Denied for a new framework service in android SELinux Unix Socket permission denied. How to fix? Permission denied: File created in …/files Android Read file denied by SELinux Permission denied for opening a screen shot I created Android - Permission Denied for creating new file If Permission Denied open a new activity android permission denied on creating new file in external storage Permission denied Exception when creating new file Android permission to new created folders
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM