需要一些关于Android SELinux构建错误的指南吗_Android_Build_Selinux

需要一些关于Android SELinux构建错误的指南吗

android build

需要一些关于Android SELinux构建错误的指南吗,android,build,selinux,Android,Build,Selinux,我目前正试图在Rockpi4上编译Android 9和Quectel EC25 LTE。但目前我仍停留在SELinux实现上。 EC25 RIL指南告诉我修改/添加以下文件到src树（$Android_src）/system/core/rootdir/ueventd.rc （$Android\u src）/external/sepolicy/file\u上下文（$Android_src）/外部/sepolicy/rild.te 运行make后，我出现以下错误： FAILED:

我目前正试图在Rockpi4上编译Android 9和Quectel EC25 LTE。但目前我仍停留在SELinux实现上。 EC25 RIL指南告诉我修改/添加以下文件到src树

（$Android_src）/system/core/rootdir/ueventd.rc

（$Android\u src）/external/sepolicy/file\u上下文

（$Android_src）/外部/sepolicy/rild.te

运行make后，我出现以下错误：

FAILED: out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c             30 -o out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then          echo \"==========\" 1>&2;               echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;             echo \"List of invalid domains:\" 1>&2;               cat out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2;           exit 1;                 fi ) && (mv out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10484 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10370 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[  4% 449/10291] build out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c               30 -o out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10425 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10311 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[  4% 450/10291] //bionic/libc:libc_bionic_ndk clang++ bionic/bionic_systrace.cpp [arm]
ninja: build stopped: subcommand failed.
10:24:06 ninja failed with: exit status 1

我不熟悉Android/SELinux，但我在谷歌上搜索了一下错误，发现“Neveralow”指令是在没有任何运气的情况下设置的

我们将不胜感激

rgds

您的允许规则对于Android来说太通用了

Neveralow规则有很好的文档记录。查看错误消息中的

system/sepolicy/public/domain.te:532

和

system/sepolicy/public/domain.te:418

：

# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;

您需要找出必须设置哪些属性

rild

，然后添加更具体的允许规则。检查现有的

property\u上下文

文件是否已为

rild

所需的属性指定了类型，或者自己创建它们。对于想要访问的设备，

rild

也需要这样做

注意：在

system/sepolicy/public/te_macros

中有宏，这将使您的

rild.te

更具可读性。示例：将

allow rild default\u prop:property\u service set

替换为

set\u prop（rild，default\u prop）

这有帮助吗？在将“-rild”添加到以下行之后：system/sepolicy/public/domain.te:418 neveralow{domain-rild}设备：chr_文件{open read write}；system/sepolicy/public/domain.te:523 neverallow{domain-init-vendor\u init-rild}default\u prop:property\u service set；我收到以下错误：system/sepolicy/public/domain.te:418:错误“未知类型rild”位于标记“；”第10295行：neverallow{domain-rild}设备：chr_文件{open read write}；好吧，这很奇怪。系统/sepolicy中的现有来源还提到rild，对吗？它有“type rild，domain；”吗？我检查了文件夹“system/sepolicy/*”中包含“type rild，domain；”system/sepolicy/vendor/rild.te system/sepolicy/prebuilts/api/26.0/public/rild.te系统/sepolicy/prebuilts/api/27.0/public/rild.te的文件，这些文件都在/system/sepolicy/*中。这个问题解决了？？我也面临同样的问题。

allow rild default_prop:property_service set;
allow rild device:chr_file { read write ioctl open getattr };
allow rild kernel:system module_request;
allow rild net_radio_prop:property_service set;
allow rild ppp_device:chr_file { read write ioctl open };
allow rild ppp_exec:file { read execute open execute_no_trans };
allow rild radio_prop:property_service set;
allow rild self:capability { net_admin setuid };
allow rild shell_exec:file { read execute open execute_no_trans };
allow rild sysfs_wake_lock:file { open read write };
allow rild system_file:file execute_no_trans;
allow rild system_prop:property_service set;

FAILED: out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c             30 -o out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then          echo \"==========\" 1>&2;               echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;             echo \"List of invalid domains:\" 1>&2;               cat out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2;           exit 1;                 fi ) && (mv out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10484 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10370 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[  4% 449/10291] build out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c               30 -o out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10425 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10311 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[  4% 450/10291] //bionic/libc:libc_bionic_ndk clang++ bionic/bionic_systrace.cpp [arm]
ninja: build stopped: subcommand failed.
10:24:06 ninja failed with: exit status 1

# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;

# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };