android.cts.security.SELinuxNeverallowRulesTest --testNeverallowRulesXXX

android.cts.security.SELinuxNeverallowRulesTest
–testNeverallowRulesXXX
[DESCRIPTION]

若有自行修改Sepolicy导致违反Google的Neverallow rule，CTS 将fail。比如：
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules110 FAIL
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { domain -system_server -system_app -init -installd } system_data_file:file { append create link unlink relabelfrom rename setattr write };
libsepol.report_failure: neverallow violated by allow install_recovery system_data_file:file { write create setattr relabelfrom append unlink link rename };
libsepol.check_assertions: 1 neverallow failures occurred

[SOLUTION]
查看CTS host log，找出neverallow violated by后面的部分，
即
allow install_recovery system_data_file:file { write create setattr relabelfrom append unlink link rename };
这个policy一般是在如下te文件中添加,需要客户自行检查:
alps/device/mediatek/common/sepolicy/install_recovery.te
alps/external/sepolicy/install_recovery.te
若上面的te文件中找不到这个修改说明是在别处te文件中添加的，则可以在
out/target/product/project/obj/ETC/sepolicy_intermediates中搜索即可，这是所有selinux policy的汇总。

上面fail的信息是说这一行policy违反了Google 原生的Neverallow policy:
neverallow { domain -system_server -system_app -init -installd } system_data_file:file { append create link unlink relabelfrom rename setattr write };
从而导致CTS fail，移除这一行即可。

Note:
必须维持external/sepolicy 与Google AOSP一致, 尽量不要修改.
特别是不要去除任何的neverallow 语句.