sepolicy 中unlabeled 修改
来源:互联网 发布:sql脚本编写教程 编辑:程序博客网 时间:2024/06/05 14:46
文章出处:http://blog.csdn.net/shift_wwx/article/details/77500458
最近需要在平台上添加一个persist 分区,需要添加sepolicy,但是不管怎么修改,发现分区最终 ls -Z 出来一直是:u:object_r:unlabeled:s0,而不是想要的persist_file 属性。
修改如下:
file.te中:type persist_file, file_type;
file_contexts中:/persist(/.*)? u:object_r:persist_file:s0
可是为什么没有生效了?
查看了init 中的code:
int main(int argc, char** argv) { ...... if (is_first_stage) { mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); mkdir("/dev/pts", 0755); mkdir("/dev/socket", 0755); mount("devpts", "/dev/pts", "devpts", 0, NULL); #define MAKE_STR(x) __STRING(x) mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC)); mount("sysfs", "/sys", "sysfs", 0, NULL); } // We must have some place other than / to create the device nodes for // kmsg and null, otherwise we won't be able to remount / read-only // later on. Now that tmpfs is mounted on /dev, we can actually talk // to the outside world. open_devnull_stdio(); klog_init(); klog_set_level(KLOG_NOTICE_LEVEL); NOTICE("init %s started!\n", is_first_stage ? "first stage" : "second stage"); if (!is_first_stage) { // Indicate that booting is in progress to background fw loaders, etc. close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000)); property_init(); // If arguments are passed both on the command line and in DT, // properties set in DT always have priority over the command-line ones. process_kernel_dt(); process_kernel_cmdline(); // Propagate the kernel variables to internal variables // used by init as well as the current required properties. export_kernel_boot_props(); } // Set up SELinux, including loading the SELinux policy if we're in the kernel domain. selinux_initialize(is_first_stage); // If we're in the kernel domain, re-exec init to transition to the init domain now // that the SELinux policy has been loaded. if (is_first_stage) { if (restorecon("/init") == -1) { ERROR("restorecon failed: %s\n", strerror(errno)); security_failure(); } char* path = argv[0]; char* args[] = { path, const_cast<char*>("--second-stage"), nullptr }; if (execv(path, args) == -1) { ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno)); security_failure(); } } // These directories were necessarily created before initial policy load // and therefore need their security context restored to the proper value. // This must happen before /dev is populated by ueventd. NOTICE("Running restorecon...\n"); restorecon("/dev"); restorecon("/dev/socket"); restorecon("/dev/__properties__"); restorecon("/property_contexts"); restorecon_recursive("/sys"); ...... parser.ParseConfig("/init.rc");......
可以看到在init.rc 解析之前做了selinux 的load,在load 之后都会对一些分区做restorecon的操作,这个应该是说在init.rc 解析之前先做了selinux 的load,也就是file_contexts等load,但是此时并没有persist 分区,所以sepolicy 并没有生效。
看到这,大概就知道之前为什么一直不行了,因为需要restore的操作,所以,最终修改如下:
在init.rc 或者init.*.rc 中:restorecon_recursive /persist
阅读全文
0 0
- sepolicy 中unlabeled 修改
- android中sepolicy, selinux学习笔记
- 修改sepolicy后编译出现‘Error while expanding policy’
- SEAndroid中sepolicy/adbd.te策略文件分析
- SELinux sePolicy
- Android系统下在te文件中为指定服务添加sepolicy权限
- android sepolicy 的编译
- Android sepolicy规则
- SEAndroid与SEpolicy Language简介
- android sepolicy报错解决
- Towards Making Unlabeled Data Never Hurt
- Anticipating Visual Representations from Unlabeled Video
- Automatic Web Query Classification Using Labeled and Unlabeled Training Data
- 深入理解SELinux SEAndroid Sepolicy(第一部分)
- Function: selinux_android_load_priority [0], There is no sepolicy file
- 半监督算法:(Using Weighted Nearest Neighbor to Benefit from Unlabeled Data)
- 【机器学习系列】《Combining Labeled and Unlabeled Data with Co-Training》读书笔记
- 【每周一文】Building Text Classifiers Using Positive and Unlabeled Examples(2003)
- JavaScript高级程序设计:6.7.8章阅读札记
- 如何解决Sublime Text 3不能正确显示中文的问题
- STM32 NVIC嵌套向量中断控制器函数分析
- 剑指offer_链表---链表中环的入口结点
- RPC的本质和问题
- sepolicy 中unlabeled 修改
- SpringMVC 注解实现权限拦截
- Ajax学习笔记
- 公司从土匪到正规军
- 深入理解JVM—Java内存模型
- op分析
- 关于xml的知识点
- 头条-2018
- tf.get_variable 和tf.variable_scope