如何在AOSP 9构建中的SELinux策略中禁用SELinux或允许新域？

Question

我正在尝试使用新的守护程序构建AOSP 9，但是SELinux不允许我这样做。 我的sierra_config_ip.te文件的开头是这样：

type sierra_config_ip, domain;
permissive sierra_config_ip;
type sierra_config_ip_exec, exec_type, file_type;

init_daemon_domain(sierra_config_ip)

我的file_contexts是：

/(vendor|system/vendor)/bin/init.config.ip      u:object_r:sierra_config_ip_exec:s0

我的init.rc是：

service sierra_config_ip /vendor/bin/init.config.ip
    class main
    user root
    group radio cache inet misc dhcp
    capabilities BLOCK_SUSPEND NET_ADMIN NET_RAW
    disabled
    oneshot

但是我总是收到以下错误：

[  0% 3/56037] build out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c      30 -o out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/evk_8mm/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd sierra_dhcpcd_exec:file { execute entrypoint };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip sierra_config_ip_exec:file { execute entrypoint };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip toolbox_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip dhcp_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_config_ip shell_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 1005 of system/sepolicy/public/domain.te (or line 11245 of policy.conf) violated by allow sierra_dhcpcd toolbox_exec:file { execute execute_no_trans };
libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_config_ip net_data_file:dir { search };
libsepol.report_failure: neverallow on line 873 of system/sepolicy/public/domain.te (or line 10996 of policy.conf) violated by allow sierra_dhcpcd net_data_file:dir { search };
libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip net_data_file:file { open };
libsepol.report_failure: neverallow on line 846 of system/sepolicy/public/domain.te (or line 10945 of policy.conf) violated by allow sierra_config_ip dhcp_data_file:file { create setattr lock map unlink rename open };
libsepol.check_assertions: 10 neverallow failures occurred
Error while expanding policy

我不知道为什么不起作用，我按照此处其他主题（如this one）中所述的步骤进行操作。有人可以帮我吗？

除此之外，我尝试禁用SELinux以最终能够构建Android。为此，我把它放在

enforcing=0 androidboot.selinux=disabled

在BoardConfig.mk的BOARD_KERNEL_CMDLINE中，但是策略是以前构建的，并且错误再次发生！

我还尝试将-sierra_config_ip放入domain.te：

full_treble_only(`
    # Do not allow vendor components to execute files from system
    # except for the ones whitelist here.
    neverallow {
        domain
        -coredomain
        -appdomain
        -vendor_executes_system_violators
        -vendor_init
        -evs_domain
        -sierra_config_ip
    } {
        exec_type
        -vendor_file_type
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
')

但是出现以下错误：

system/sepolicy/public/domain.te:1005:ERROR 'unknown type sierra_config_ip' at token ';' on line 11251:
#line 1005
    }:file { entrypoint execute execute_no_trans };

在此先感谢您的帮助！ ：）

Answer 1

您需要在device / fsl / XXX / XXX / BoardConfig.mk中添加以下“ BOARD_KERNEL_CMDLINE + = androidboot.selinux = permissive”