Security-Enhanced Linux (Security-Enhanced Linux) is referred to as SELinux. It was originally a security enhancement system for Linux designed by the US National Security Agency and some companies. Google forced the introduction of this very strict permission management mechanism on Android, which is mainly used to enhance the security of the system. However, in development, we often encounter various insufficient permissions due to SELinux. This article aims to combine specific cases to explain how to quickly solve most of the SELinux permission problems based on the log.
View SELinux status:
adb shell getenforce
Set SELinux status:
adb shell setenforce 0
adb shell setenforce 1
(1) setenforce 0
Set SELinux to permissve mode, only review permissions, but not restrict, that is, it will not have a substantial impact, only record violations of selinux rules, not Block;
(2) setenforce 1
sets SELinux to enforcing mode, which will restrict access forcibly.
Iconic log format
avc: denied {operating authority} for pid=7201 comm="process name" scontext=u:r:source type:s0 tcontext=u:r:target type:s0 tclass=access category permissive=0
Example
avc: denied {append} for pid=8317 comm=”RenderThread” name=”glsl_shader_log.txt” dev=”mmcblk0p35” ino=4077 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass =file permissive=0
Solution:
Give system_app (system app) the permission to append to the file type system_data_file
1. Find the system_app.te file
2. Add content to the file:
allow system_app system_data_file:file {append}