如何快速定位SElinux问题并修复？

1.获取android设备的kernellog

最简单的就是通过dmesg命令来重定向输出到文件：

dmesg > /sdcard/dmesg.txt

adb pull拉取出log后会看到类似如下的selinux报错：

<5>[    6.045281] [1:155:kauditd] audit: type=1400 audit(2245.069:3): avc:  denied  { read } for  pid=1 comm="init" name="mz_rpmb_ctl" dev="tmpfs" ino=28162 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=1

2.查找SElinux报错

cat dmesg.txt | grep "avc"

比如我的log输出如下：

<36>[  185.262911] [0:603:logd.auditd] type=1400 audit(1542768382.806:1551): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0<36>[  186.136447] [0:603:logd.auditd] type=1400 audit(1542768382.806:1554): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0 duplicate messages suppressed<36>[  186.136630] [0:603:logd.auditd] type=1400 audit(1542768383.676:1555): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r:dpmtcm_socket:s0 tclass=sock_file permissive=0<36>[  186.812992] [1:603:logd.auditd] type=1400 audit(1542768383.676:1555): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r:dpmtcm_socket:s0 tclass=sock_file permissive=0<36>[  186.813073] [1:603:logd.auditd] type=1400 audit(1542768384.356:1556): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  186.816160] [2:603:logd.auditd] type=1400 audit(1542768384.356:1556): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  186.816236] [2:603:logd.auditd] type=1400 audit(1542768384.356:1557): avc: denied { read } for pid=1907 comm="Binder:1907_C" name="chipid" dev="proc" ino=4026531947 scontext=u:r:system_server:s0 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  190.147428] [0:603:logd.auditd] type=1400 audit(1542768386.966:1565): avc: denied { read } for pid=1907 comm="Thread-2" name="sync_temp" dev="sysfs" ino=80221 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0<36>[  190.147615] [0:603:logd.auditd] type=1400 audit(1542768387.686:1566): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r:dpmtcm_socket:s0 tclass=sock_file permissive=0<36>[  191.267217] [3:603:logd.auditd] type=1400 audit(1542768388.686:1567): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r:dpmtcm_socket:s0 tclass=sock_file permissive=0<36>[  191.267405] [3:603:logd.auditd] type=1400 audit(1542768388.806:1568): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0<36>[  192.162748] [3:603:logd.auditd] type=1400 audit(1542768388.806:1571): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0 duplicate messages suppressed<36>[  192.162812] [3:603:logd.auditd] type=1400 audit(1542768389.706:1572): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r:dpmtcm_socket:s0 tclass=sock_file permissive=0<36>[  193.623336] [3:603:logd.auditd] type=1400 audit(1542768390.706:1573): avc: denied { write } for pid=2584 comm="TcmReceiver" name="tcm" dev="tmpfs" ino=29074 scontext=u:r:radio:s0 tcontext=u:object_r:dpmtcm_socket:s0 tclass=sock_file permissive=0<36>[  193.623390] [3:603:logd.auditd] type=1400 audit(1542768391.166:1574): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  193.625833] [0:603:logd.auditd] type=1400 audit(1542768391.166:1574): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  193.625881] [0:603:logd.auditd] type=1400 audit(1542768391.166:1575): avc: denied { read } for pid=1907 comm="Binder:1907_A" name="chipid" dev="proc" ino=4026531947 scontext=u:r:system_server:s0 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  195.547366] [3:603:logd.auditd] type=1400 audit(1542768391.896:1580): avc: denied { read } for pid=6232 comm="m.meizu.account" name="bl_unlock" dev="proc" ino=4026531940 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_mz_info:s0 tclass=file permissive=0<36>[  195.547426] [3:603:logd.auditd] type=1400 audit(1542768393.086:1583): avc: denied { read } for pid=7194 comm="pp.v3.apiWorker" name="u:object_r:serialno_prop:s0" dev="tmpfs" ino=22887 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0<36>[  197.276747] [1:603:logd.auditd] type=1400 audit(1542768393.086:1583): avc: denied { read } for pid=7194 comm="pp.v3.apiWorker" name="u:object_r:serialno_prop:s0" dev="tmpfs" ino=22887 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0<36>[  197.276807] [1:603:logd.auditd] type=1400 audit(1542768394.816:1584): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0<36>[  198.325751] [1:603:logd.auditd] type=1400 audit(1542768394.816:1587): avc: denied { search } for pid=937 comm="cnss_diag" name="0" dev="dm-1" ino=131076 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0 duplicate messages suppressed<36>[  198.325828] [1:603:logd.auditd] type=1400 audit(1542768395.866:1588): avc: denied { read } for pid=4664 comm="ontrollerWorker" name="u:object_r:serialno_prop:s0" dev="tmpfs" ino=22887 scontext=u:r:system_app:s0 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0

3.分析avc问题

可以通过audit2allow tool来分析selinux log：

 cat dmesg.txt | grep avc | audit2allow

比如我的输出如下：

#============= platform_app ==============allow platform_app app_data_file:file execute;allow platform_app net_dns_prop:file read;allow platform_app proc_mz_info:file read;allow platform_app serialno_prop:file read;allow platform_app sysfs_net:dir search;#============= priv_app ==============allow priv_app proc_uptime:file read;allow priv_app serialno_prop:file read;#============= private_file_app ==============allow private_file_app app_data_file:dir search;#============= qti_init_shell ==============allow qti_init_shell default_prop:file read;#============= radio ==============allow radio dpmtcm_socket:sock_file write;#============= rild ==============allow rild diag_device:chr_file { read write };allow rild vendor_pd_locater_dbg_prop:file read;#============= system_app ==============allow system_app default_prop:property_service set;allow system_app platform_app:file read;allow system_app radio_prop:property_service set;allow system_app serialno_prop:file read;allow system_app sysfs_net:dir search;#============= system_server ==============allow system_server custom_file:dir { getattr search };allow system_server proc_mz_info:file read;allow system_server sysfs:file { read write };allow system_server tptype_prop:file read;allow system_server wfd_debug_prop:file read;

如此可以非常便捷的找到avc错误，并已经给出了解决方案，只需要把该结果配置到对应的selinux policy config文件即可。

1.获取android设备的kernellog

2.查找SElinux报错

3.分析avc问题

更多相关文章

随机推荐