[问答]

RK3399出现了自己添加的后台服务无法起来的问题该怎么办呢

问答对人有帮助，内容完整，我也想知道答案 0 Platform: RK3399 OS: Android 7.1 Kernel: v4.4.83 说明：之前在处理mtp的问题将Selinux改成了permissive后,出现了自己添加的后台服务无法起来的问题,比如添加了自己实现的batteryd服务。 Log: init: Service batteryd does not have a SELinux domain defined. 原因: SELinux安全检查机制被启用后会对新加的服务做检查。解决方法: 以添加batteryd服务为例. init.rc中添加 service batteryd /system/bin/batteryd class late_start user root oneshot seclabel u:r:batteryd:s0 file_contexts添加： kris@ecobsp:~/rk3399/device/rockchip/common/sepolicy$ g df diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index d33fb31..73f0729 100755 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -152,3 +152,9 @@ /dev/block/mmcblk1 u:object_r:uboot_block_device:s0 /dev/block/mmcblk1rpmb u:object_r:rpmb_block_device:s0 + +/system/bin/batteryd u:object_r:batteryd_exec:s0 再在上面目录添加新文件 batteryd.te type batteryd, domain; type batteryd_exec, exec_type, file_type; init_daemon_domain(batteryd) 编译生成boot.img,可以看到batteryd服务已经起来了 rk3399_mid:/ $ ps \| grep batteryd root 246 1 10032 1968 0 0000000000 S /system/bin/batteryd 不过还是有些问题 [ 2.578694] type=1400 audit(1514752624.453:16): avc: denied { create } for pid=246 comm="batteryd" scontext=u:r:batteryd:s0 tcontext=u:r:batteryd:s0 tclass=tcp_socket permissive=1 [ 2.578851] type=1400 audit(1514752624.453:17): avc: denied { net_raw } for pid=246 comm="batteryd" capability=13 scontext=u:r:batteryd:s0 tcontext=u:r:batteryd:s0 tclass=capability permissive=1 [ 2.579176] type=1400 audit(1514752624.456:18): avc: denied { setopt } for pid=246 comm="batteryd" scontext=u:r:batteryd:s0 tcontext=u:r:batteryd:s0 tclass=tcp_socket permissive=1 [ 2.579288] type=1400 audit(1514752624.456:19): avc: denied { bind } for pid=246 comm="batteryd" scontext=u:r:batteryd:s0 tcontext=u:r:batteryd:s0 tclass=tcp_socket permissive=1 接着收集所有相关avc denied的信息 dmesg \| grep avc > /sdcard/avc_log.txt ubuntu上再安装工具 sudo apt-get install policycoreutils 过滤出batteryd相关log audit2allow -i avc_log.txt 得到batteryd相关结果如下： #============= batteryd ============== allow batteryd node:tcp_socket node_bind; allow batteryd port:tcp_socket name_bind; allow batteryd rootfs:lnk_file getattr; allow batteryd self:capability net_raw; allow batteryd self:tcp_socket { bind create setopt accept listen }; allow batteryd system_file:file entrypoint; 把上面信息copy到batteryd.te中,再次编译boot.img, 会出现如下错误: FAILED: /bin/bash -c "(out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/policy.conf ) && (out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates//sepolicy.dontaudit out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/policy.conf.dontaudit ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ "user" = "user" -a -s out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo "==========" 1>&2; echo "ERROR: permissive domains not allowed in user builds" 1>&2; echo "List of invalid domains:" 1>&2; cat out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/sepolicy )" libsepol.report_failure: neverallow on line 237 of system/sepolicy/domain.te (or line 8823 of policy.conf) violated by allow batteryd system_file:file { entrypoint }; libsepol.check_assertions: 1 neverallow failures occurred Error while expanding policy out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/rk3399_mid/obj/ETC/sepolicy_intermediates/policy.conf ninja: build stopped: subcommand failed. make: *** [ninja_wrapper] Error 1 #### make failed to build some targets (05:59 (mm:ss)) #### 修改domain.te文件： kris@ecobsp:~/rk3399/system/sepolicy$ g df diff --git a/domain.te b/domain.te index 45569de..0c02969 100644 --- a/domain.te +++ b/domain.te @@ -234,7 +234,7 @@ neverallow { domain -init } kernel:security setsecparam; neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file ; # Ensure that all entrypoint executables are in exec_type or postinstall_file. -neverallow { file_type -exec_type -postinstall_file }:file entrypoint; +neverallow { -batteryd } { file_type -exec_type -postinstall_file }:file entrypoint; # Ensure that nothing in userspace can access /dev/mem or /dev/kmem neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; 编译通过, 烧录开机正常。原作者：KrisFei 0
2022-4-29 16:25:07　　评论淘帖0 邀请回答您可以邀请以下用户，快速回答问题 × liutiefu 该类别下有 26 个回答。邀请回答 tigerwang711 该类别下有 20 个回答。邀请回答 ze55me 该类别下有 20 个回答。邀请回答 zhuzb0754 该类别下有 19 个回答。邀请回答杀狼000 该类别下有 19 个回答。邀请回答 YYXIAO 该类别下有 18 个回答。邀请回答冰箱洗衣机该类别下有 18 个回答。邀请回答 CDCNKA 该类别下有 17 个回答。邀请回答 jjll652 该类别下有 17 个回答。邀请回答河神大人该类别下有 17 个回答。邀请回答 mede1001 该类别下有 17 个回答。邀请回答安德森大该类别下有 17 个回答。邀请回答 YOYOOO 该类别下有 16 个回答。邀请回答麻酱该类别下有 16 个回答。邀请回答世态薄凉该类别下有 16 个回答。邀请回答熊本熊该类别下有 16 个回答。邀请回答 wang21cj 该类别下有 15 个回答。邀请回答 dfgsdf 该类别下有 15 个回答。邀请回答梅利号该类别下有 15 个回答。邀请回答 szj0213 该类别下有 15 个回答。邀请回答举报 ss 相关推荐 • RK3399/RK3328 Android9.0设置系统时间失败该怎么办呢 2014 • RK3399 Android8.1系统的DDR阻抗匹配出现问题怎么办呢 1559 • 在RK3399Pro硬件上进行make编译报错怎么办 836 • 怎样去解决RK3399系统经常卡死的问题呢 3261 • 请问RK3399怎样添加Android新的产品来区别多个项目产品呢 563 • 如何将ROC-RK3399-PC-PLUS运行起来呢 1431 • RK3399是什么？RK3399的性能有哪些呢 2555 • RK3399与RK3399Pro处理器的性能有何不同 1922 • RK3399是什么？RK3399芯片有哪些优势呢 3281 • 如何分析RK3399这个芯片的启动方式呢 5292 1个回答