本文轉載自:https://blog.csdn.net/yin1031468524/article/details/75644874
在系統中添加某個“*.te”后,可能會出現下面的錯誤:
libsepol.report_failure: neverallow on line 263 of system/sepolicy/domain.te (or line 9133 of policy.conf) violated by allow xx device:chr_file { read write open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
這是因為在“system/sepolicy/domain.te” 添加了一些neverallow rules,導致編譯檢查的時候出現錯誤
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
只需要根據錯誤的提示,在system/sepolicy/domain.te找到對應的neverallow規則修改即可,我編譯出現error的是allow xx device:chr_file { read write open };
只需要在下面的規則中,去掉我們添加的xx.te即可,在neverallow后的第一個‘{}’里 利用“-xx”,排除某個,即不應有此規則
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
neverallow { domain -init -ueventd -systool_server -xx } device:chr_file { open read write };