Android selinux 权限 修复 avc: denied

selinux
{
getenforce 串口命令查看权限

selinux=0 内核关闭 selinux
selinux=1 内核打开 selinux

android 系统 两种模式
androidboot.selinux=permissive 宽松
androidboot.selinux=enforcing 强制

getenforce
setenforce 0 命令，让 selinux 处于宽容模式

sn: getprop ro.serialno
mac: cat /sys/class/net/wlan0/address


相关文件
{
修改权限最好在device下客制化修改
device/xxx/xxx/sepolicy/

原始code的权限最好不要动
system/sepolicy/public/
system/sepolicy/prebuilts/api/xx/public/

}

设置文件 device/softwinner/eros-p1/BoardConfig.mk
BOARD_KERNEL_CMDLINE += selinux=1 androidboot.selinux=permissive androidboot.dtbo_idx=0,1,2
BOARD_KERNEL_CMDLINE += selinux=1 androidboot.selinux=enforcing androidboot.dtbo_idx=0,1,2

权限报错，类似提示
{
init: Unable to set property 'persist.standby.mode' to '1' from uid:1000 gid:1000 pid:7184: SELinux permission check failed
[ 2.047169] selinux: avc: denied { set } for scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
[ 2.064680] selinux: avc: denied { set } for scontext=u:r:vendor_init:s0 tcontext=u:object_r:config_prop:s0 tclass=property_service permissive=1
[ 2.081488] selinux: avc: denied { set } for scontext=u:r:vendor_init:s0 tcontext=u:object_r:exported2_default_prop:s0 tclass=property_service permissive=1
[ 153.759885] selinux: avc: denied { set } for property=persist.standby.mode pid=3928 uid=1000 gid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
[ 178.937290] selinux: avc: denied { set } for property=settings.notifi.count pid=2183 uid=1000 gid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
avc: denied { write } for name="light" dev="sysfs" ino=14600 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_gpio:s0 tclass=file permissive=0
}

方法一 修改
vendor/aw/homlet/sepolicy/property_contexts
system/sepolicy/.../property_contexts
{
system_prop 对应的只能在 系统层app才能使用
ro.datamax.RomVersion u:object_r:system_prop:s0
persist.ota.server u:object_r:system_prop:s0
persist.standby.mode u:object_r:system_prop:s0
}


方法二
{
抓取相关log，提取权限名称。
dmesg|grep avc
获取所有的avc 权限问题
logcat|grep avc: > /sdcard/avc.log

linux工具 需要先 source build/envsetup.sh & lunch
audit2allow -i avc.log

源码中使用工具生成
{
#============= hal_wifi_default ==============
allow hal_wifi_default vendor_data_file:file getattr;

#============= init ==============
allow init settings_service:service_manager find;
allow init system_file:file execute_no_trans;

#============= system_app ==============
allow system_app system_data_file:file { write read create };
}
根据生成的条件修改 te文件

system/sepolicy/public/system_app.te
allow system_app system_data_file:dir { add_name write };
allow system_app system_data_file:file { create open write };

报错提示:
libsepol.report_failure: neverallow on line 458 of system/sepolicy/public/app.te (or line 8332 of policy.conf) violated by allow system_app system_data_file:dir { write };
libsepol.report_failure: neverallow on line 458 of system/sepolicy/public/app.te (or line 8332 of policy.conf) violated by allow system_app system_data_file:file { write create };
libsepol.check_assertions: 2 neverallow failures occurred

找到 app.te 中对应的 458 等行修改
{
原始:
neverallow appdomain system_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };

修改后 1
neverallow appdomain -system_app system_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };

修改后 2
neverallow appdomain system_data_file:dir_file_class_set
{ setattr relabelfrom relabelto append unlink link rename };
}

报错提示:
Files system/sepolicy/prebuilts/api/28.0/public/app.te and system/sepolicy/public/app.te differ
对比两个文件输入的字符，一个空格都要一致

编译测试
make selinux_policy
}
}