sepolicy 中unlabeled 修改

文章出处：http://blog.csdn.net/shift_wwx/article/details/77500458

请转载的朋友标明出处~~

最近需要在平台上添加一个persist 分区，需要添加sepolicy，但是不管怎么修改，发现分区最终 ls -Z 出来一直是：u:object_r:unlabeled:s0，而不是想要的persist_file 属性。

修改如下：

file.te中：type persist_file, file_type;

file_contexts中：/persist(/.*)?       u:object_r:persist_file:s0

可是为什么没有生效了？

查看了init 中的code：

int main(int argc, char** argv) {    ......    if (is_first_stage) {        mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");        mkdir("/dev/pts", 0755);        mkdir("/dev/socket", 0755);        mount("devpts", "/dev/pts", "devpts", 0, NULL);        #define MAKE_STR(x) __STRING(x)        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));        mount("sysfs", "/sys", "sysfs", 0, NULL);    }    // We must have some place other than / to create the device nodes for    // kmsg and null, otherwise we won't be able to remount / read-only    // later on. Now that tmpfs is mounted on /dev, we can actually talk    // to the outside world.    open_devnull_stdio();    klog_init();    klog_set_level(KLOG_NOTICE_LEVEL);    NOTICE("init %s started!\n", is_first_stage ? "first stage" : "second stage");    if (!is_first_stage) {        // Indicate that booting is in progress to background fw loaders, etc.        close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000));        property_init();        // If arguments are passed both on the command line and in DT,        // properties set in DT always have priority over the command-line ones.        process_kernel_dt();        process_kernel_cmdline();        // Propagate the kernel variables to internal variables        // used by init as well as the current required properties.        export_kernel_boot_props();    }    // Set up SELinux, including loading the SELinux policy if we're in the kernel domain.    selinux_initialize(is_first_stage);    // If we're in the kernel domain, re-exec init to transition to the init domain now    // that the SELinux policy has been loaded.    if (is_first_stage) {        if (restorecon("/init") == -1) {            ERROR("restorecon failed: %s\n", strerror(errno));            security_failure();        }        char* path = argv[0];        char* args[] = { path, const_cast<char*>("--second-stage"), nullptr };        if (execv(path, args) == -1) {            ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno));            security_failure();        }    }    // These directories were necessarily created before initial policy load    // and therefore need their security context restored to the proper value.    // This must happen before /dev is populated by ueventd.    NOTICE("Running restorecon...\n");    restorecon("/dev");    restorecon("/dev/socket");    restorecon("/dev/__properties__");    restorecon("/property_contexts");    restorecon_recursive("/sys");    ......    parser.ParseConfig("/init.rc");......

可以看到在init.rc 解析之前做了selinux 的load，在load 之后都会对一些分区做restorecon的操作，这个应该是说在init.rc 解析之前先做了selinux 的load，也就是file_contexts等load，但是此时并没有persist 分区，所以sepolicy 并没有生效。

看到这，大概就知道之前为什么一直不行了，因为需要restore的操作，所以，最终修改如下：

在init.rc 或者init.*.rc 中：restorecon_recursive /persist

对于，restorecon 和 restorecon_recursive 的区别，可以看下code，就是一个递归的效果。