android-source - avc: 拒绝 default_android_hwservice，紫 neverallow

问题描述

首先我得到的日志为：

11-11 11:11:14.779  2287  2287 E SELinux : **avc:  denied**  { add } for interface=vendor.abc.wifi.wifidiagnostic::IWifiDiagnostic sid=u:r:wifidiagnostic:s0 pid=2838 scontext=u:r:wifidiagnostic:s0 tcontext=u:object_r:**default_android_hwservice**:s0 tclass=hwservice_manager permissive=1
11-11 11:11:14.781  2838  2838 I ServiceManagement: Registered vendor.abc.wifi.wifidiagnostic@1.0::IWifiDiagnostic/default (start delay of 128ms)
11-11 11:11:14.781  2838  2838 I ServiceManagement: Removing namespace from process name vendor.abc.wifi.wifidiagnostic@1.0-service to wifidiagnostic@1.0-service.

但是如果我添加

allow wifidiagnostic default_android_hwservice:hwservice_manager {add}

获取编译错误：

libsepol.report_failure: neverallow on line 511 of system/sepolicy/public/domain.te (or line 11982 of policy.conf) violated by allow wifidiagnostic default_android_hwservice:hwservice_manager { add };
libsepol.check_assertions: **1 neverallow failures occurred**
Error while expanding policy

我该如何解决？

wifidiagnostic 是具有诊断功能的本机服务。我在 wifidiagnostic.te 中定义类型

# wifidiagnostic service
type wifidiagnostic, domain;
type wifidiagnostic_exec, exec_type, file_type, vendor_file_type;

init_daemon_domain(wifidiagnostic)

allow wifidiagnostic hwservicemanager_prop:file { getattr map open read };
allow wifidiagnostic hwservicemanager:binder { call transfer };
#allow wifidiagnostic default_android_hwservice:hwservice_manager { add };
allow wifidiagnostic hidl_base_hwservice:hwservice_manager { add };

并在 file_contexts 添加标签

/vendor/bin/hw/vendor.abc.wifi.wifidiagnostic@1.0-service u:object_r:wifidiagnostic_exec:s0

标签： android-sourceselinux