audit(0.0:67): avc: denied { write } for path="/dev/block/vold/92:94" dev="tmpfs" ino=/1363 scontext=u:r:kernel:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
- 找到相關sepolicy檔案,檔名為scontext.te
\device\abc\XXXX_XX_XXX\sepolicy - 新增權限格式
allow scontext tcontext:tclass denied; - 上述範例 (kernel.te)
allow kernel block_device:blk_file write;
audit(0.0:52): avc: denied { execute } for path="/data/data/com.mofing/qt-reserved-files/plugins/platforms/libgnustl_shared.so" dev="nandl" ino=115402 scontext=u:r:platform_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
- scontext.te
allow platform_app app_data_file:file execute; 或 allow platform_app app_data_file:file rwx_file_perms;
audit(1222651428.801:3): avc: denied { search } for pid=148 comm="setmacaddr" name="/" dev="nandi" ino=1 scontext=u:r:engsetmacaddr:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
- engsetmacaddr.te
allow engsetmacaddr vfat:dir create_dir_perms; - create_dir_perms 包含了 search write add_name create。
參考 system/sepolicy/public/global_macros
audit(1221759384.820:4): avc: denied { read } for pid=1484 comm="sdcard" name="0" dev="nandk" ino=245281 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
- sdcardd.te
allow sdcardd system_data_file:dir rw_dir_perms; - rw_dir_perms 包含了 read write
可以參 system/sepolicy/public/global_macros
No comments:
Post a Comment