SElinux avc insufficient permission problem:
1. Compile the debug version.
2. Capture the log: adb shell --> dmesg | grep avc
3. Supplement the corresponding .te file; you can also write the .te file yourself, you must first declare it in the system/sepolicy/file_contexts file;
The general principle is to provide whatever authority is missing! ! !
1. Add it manually based on the error report in the log.
1. The original .te file of the system
For example, the error message printed out is as follows:
Log analysis:
read/write: means there is no read/write permission;
system_app: lack of permission in system_app, the file name is the same as this, xxx.te;
serial_device: lack of permission in the serial_device file system;
chr_file: file of type chr_file;
amendment:
在system_app.te文件中,添加下面语句:
allow system_app serial_device:chr_file read;
allow system_app serial_device:chr_file write;
2. Re-add the .te file
- First go to the system/sepolicy/file_contexts file and declare: (take adb.te as an example)
specify the path of abc, and specify a name, which mustservice名(abc)+_exec
end with. - Create a .te file:
All the permissions granted above are filled step by step based on what is missing in the avc denied log.
3. Write the user version and see the results.
Second, use audio2allow to generate the format for adding permissions (convenient and quick)
android tool audit2allow generates security policy
1. Installation tools under ubuntu:
sudo apt-get install policycoreutils
sudo apt-get autoremove # 安装有问题时执行
2. Extract all avc logs:
adb shell dmesg | grep avc > avc_log.txt
3. Use tools to generate policy statements:
audio2allow -i avc_log.txt
The execution result is shown in the picture above, where #============== adpl ============= represents the te file you want to add. Here we need to find adpl .te file, and then add
allow adpl diag_device:chr_file { read write };, just add whichever one you need;
3. Regarding the neverallow error problem encountered during compilation
Error:
Solution:
Regarding the neverallow error when compiling, you can add the corresponding permissions to the corresponding script in the prompt;