本文转载自:https://blog.csdn.net/yin1031468524/article/details/75644874
在系统中添加某个“*.te”后,可能会出现下面的错误:
libsepol.report_failure: neverallow on line 263 of system/sepolicy/domain.te (or line 9133 of policy.conf) violated by allow xx device:chr_file { read write open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
这是因为在“system/sepolicy/domain.te” 添加了一些neverallow rules,导致编译检查的时候出现错误
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
只需要根据错误的提示,在system/sepolicy/domain.te找到对应的neverallow规则修改即可,我编译出现error的是allow xx device:chr_file { read write open };
只需要在下面的规则中,去掉我们添加的xx.te即可,在neverallow后的第一个‘{}’里 利用“-xx”,排除某个,即不应有此规则
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
neverallow { domain -init -ueventd -systool_server -xx } device:chr_file { open read write };