SEAndroid:如何修复不允许的允许域

Question

当我为我的时间戳过程创建一个新的域类型时，我有一些SEAndroid问题，但是在“永不允许”中仍然存在一些冲突问题。有人能给我个提示或线索吗？请参阅以下描述。

avc拒绝日志：

120.810387 type=1400审计(932699.049:188)：avc:拒绝{ execute_no_trans } for pid=3875 comm="system_server“path=/system/bin/sh”dev=“mmcblk0p47 ino=791 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 120.827670 type=1400审计(932699.049:188)：avc:拒绝{ execute_no_trans } for pid=3875 comm="system_server”/system/bin/sh“en22#服务器:S0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 120.827684 type=1400审核(932699.069:189)：avc:拒绝{ getattr } for pid=3877 comm="sh“path=/system/bin/时间戳”dev="mmcblk0p47“ino=832 scontext=u:r:system_server:s0 tclass=file permissive=1 120.828287 type=1400审核”(932699.069:189)：avc:拒绝{ getattr } for pid=3877 comm="sh“/system/bin/时间戳”type=1400“en19 19scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 120.828300 type=1400审计(932699.069:190)：avc: pid=3877 comm="sh“时间戳”dev="mmcblk0p47“ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 120.828593 type=1400 type=1400”(932699.069:190)的{ execute }被拒绝(932699.069:190)：avc:拒绝{ execute } for pid=3877 comm="sh“type=1400”时间戳“en22#：system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 120.828607 type=1400审计(932699.069:191)：avc:拒绝{ read open } for pid=3877 comm="sh“path=/system/bin/时间戳”dev="mmcblk0p47“ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 120.828981 type=1400 type=1400”(932699.069:191)：avc:拒绝{ read } for pid=3877 permissive=1“sh”/system/bin/时间戳“en19”"mmcblk0p47“ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 120.828996 type=1400审计(932699.069:192)：avc:拒绝{ execute_no_trans } for pid=3877 comm="sh”path=/system/bin/时间戳“dev=”mmcblk0p47 ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file 120.845574 type=1400审计(932699.069:192)：avc:拒绝{en19} forcomm="sh“path=/system/bin/时间戳”dev="mmcblk0p47“ino=832 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 120.845587 type=1400审计”(932699.089:193)：avc: pid=3879 comm="sh“path=/system/bin/dev=”dev=“mmcblk0p47 en19#

我的timestamp.te：

type timestamp, domain; type timestamp_exec, exec_type, file_type; init_daemon_domain(timestamp)

我的file_contexts：

/system/bin/timestamp        u:object_r:timestamp_exec:s0

我的system_server.te：

allow system_server timestamp_exec:file { execute_no_trans getattr execute read open };

编译器失败的日志：

失败: out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/msm8996/obj/ETC/26.0.cil_intermediates/26.0.cil out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy )out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp -o .cil -o -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-分析out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp允许性> out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains )& (if \"userdebug\“=\”user\\“-a -s out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains；然后回显\"==========\“1>&2；echo \”错误:用户生成中不允许允许的域\“1>&2；回显无效域的列表：\”1>&2；cat 1>&2 1>&2；退出1；fi )& (mv out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy )“系统/sepolicy/ out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:12033 /system_server.te(从不允许system_server base_typeattr_218 (文件) (execute_no_trans ))检查失败())允许at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:7533 (允许system_server_26_0 timestamp_exec (文件(读取getattr执行execute_no_trans打开))生成二进制文件失败，生成策略to失败

Answer 1

请尝试在“类型时间戳，域”末尾添加"mlstrustedsubject，coredomain“；

-    type timestamp, domain;

+    type timestamp, domain, mlstrustedsubject, coredomain;