android 中的新框架服务的 SELinux 权限被拒绝
SELinux Permission Denied for a new framework service in android
中的教程在早期版本 (4.4) 的 Android 框架中添加了一个新的系统服务
但是当我尝试在 Android Lollipop 中做类似的事情时,SELinux 策略不允许我这样做。
这是 logcat 的输出。
05-11 15:49:51.362 248 248 I SystemServer: Test Service Starting
05-11 15:49:51.364 248 248 I TestManagerService: Started Test Manager Service
05-11 15:49:51.370 54 54 E SELinux : avc: denied { add } for service=TestManagerService scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
05-11 15:49:51.371 54 54 E ServiceManager: add_service('TestManagerService',28) uid=1000 - PERMISSION DENIED
05-11 15:49:51.378 248 248 E SystemServer: Failure starting TestManagerService
05-11 15:49:51.378 248 248 E SystemServer: java.lang.SecurityException
05-11 15:49:51.378 248 248 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)
05-11 15:49:51.378 248 248 E SystemServer: at android.os.BinderProxy.transact(Binder.java:496)
05-11 15:49:51.378 248 248 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
05-11 15:49:51.378 248 248 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:72)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:551)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:257)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:171)
05-11 15:49:51.378 248 248 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:723)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:613)
我不想禁用 SELinux 策略。我只希望政策也允许我的新服务。我应该怎么办?
检查此 link:http://androidosp.blogspot.com.tr/2014/11/selinux-seandroid-exceptions-for-system.html
您只需转到:/external/sepolicy/service_contexts
并在那里添加您的新服务。而已!
添加到你的 sepolicy 文件中
- 允许system_serverdefault_android_service:service_manager添加
提交:
android-dev\external\sepolicy\service.te
添加:
type mytest_service, system_api_service, system_server_service,
service_manager_type;
提交:
android-dev\external\sepolicy\service_contexts
添加:
mytestservice u:object_r:mytest_service:s0
其中 mytestservice 您的名称服务
对我有帮助
在 Android 7.1.1 中,service_contexts 文件已移至 system/sepolicy
将服务 "foo" 添加到策略 添加到文件 service_contexts
foo u:object_r:foo_service:s0
并在 service.te 中添加:
type foo_service, app_api_service, system_server_service, service_manager_type;
可以通过在设备 sepolicy 目录中添加 service_contexts & service.te 文件来创建特定于设备的策略:device/myDevice/versionName/sepolicy
但是当我尝试在 Android Lollipop 中做类似的事情时,SELinux 策略不允许我这样做。 这是 logcat 的输出。
05-11 15:49:51.362 248 248 I SystemServer: Test Service Starting
05-11 15:49:51.364 248 248 I TestManagerService: Started Test Manager Service
05-11 15:49:51.370 54 54 E SELinux : avc: denied { add } for service=TestManagerService scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
05-11 15:49:51.371 54 54 E ServiceManager: add_service('TestManagerService',28) uid=1000 - PERMISSION DENIED
05-11 15:49:51.378 248 248 E SystemServer: Failure starting TestManagerService
05-11 15:49:51.378 248 248 E SystemServer: java.lang.SecurityException
05-11 15:49:51.378 248 248 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)
05-11 15:49:51.378 248 248 E SystemServer: at android.os.BinderProxy.transact(Binder.java:496)
05-11 15:49:51.378 248 248 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
05-11 15:49:51.378 248 248 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:72)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:551)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:257)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:171)
05-11 15:49:51.378 248 248 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:723)
05-11 15:49:51.378 248 248 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:613)
我不想禁用 SELinux 策略。我只希望政策也允许我的新服务。我应该怎么办?
检查此 link:http://androidosp.blogspot.com.tr/2014/11/selinux-seandroid-exceptions-for-system.html
您只需转到:/external/sepolicy/service_contexts
并在那里添加您的新服务。而已!
添加到你的 sepolicy 文件中
- 允许system_serverdefault_android_service:service_manager添加
提交:
android-dev\external\sepolicy\service.te
添加:
type mytest_service, system_api_service, system_server_service, service_manager_type;
提交:
android-dev\external\sepolicy\service_contexts
添加:
mytestservice u:object_r:mytest_service:s0
其中 mytestservice 您的名称服务
对我有帮助
在 Android 7.1.1 中,service_contexts 文件已移至 system/sepolicy
将服务 "foo" 添加到策略 添加到文件 service_contexts
foo u:object_r:foo_service:s0
并在 service.te 中添加:
type foo_service, app_api_service, system_server_service, service_manager_type;
可以通过在设备 sepolicy 目录中添加 service_contexts & service.te 文件来创建特定于设备的策略:device/myDevice/versionName/sepolicy