[DESCRIPTION]
若有自行修改Sepolicy导致违反Google的Neverallow rule,CTS 将fail。比如:
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules110 FAIL
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { domain -system_server -system_app -init -installd } system_data_file:file { append create link unlink relabelfrom rename setattr write };
libsepol.report_failure: neverallow violated by allow install_recovery system_data_file:file { write create setattr relabelfrom append unlink link rename };
libsepol.check_assertions: 1 neverallow failures occurred
[SOLUTION]
查看CTS host log,找出neverallow violated by后面的部分,
即
allow install_recovery system_data_file:file { write create setattr relabelfrom append unlink link rename };
这个policy一般是在如下te文件中添加,需要客户自行检查:
alps/device/mediatek/common/sepolicy/install_recovery.te
alps/external/sepolicy/install_recovery.te
若上面的te文件中找不到这个修改说明是在别处te文件中添加的,则可以在
out/target/product/project/obj/ETC/sepolicy_intermediates中搜索即可,这是所有selinux policy的汇总。
上面fail的信息是说这一行policy违反了Google 原生的Neverallow policy:
neverallow { domain -system_server -system_app -init -installd } system_data_file:file { append create link unlink relabelfrom rename setattr write };
从而导致CTS fail,移除这一行即可。
Note:
必须维持external/sepolicy 与Google AOSP一致, 尽量不要修改.
特别是不要去除任何的neverallow 语句.