當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

android audit2allow工具使用步骤

發(fā)布時(shí)間：2025/3/15 编程问答 24 豆豆

生活随笔收集整理的這篇文章主要介紹了 android audit2allow工具使用步骤小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

在dmesg里面經(jīng)常會(huì)看到很多的avc denied的打印，如果有很多這種打印，那可以借助于android提供的audit2allow工具幫我們轉(zhuǎn)換成allow語句。

使用步驟如下：
一、將dmesg中的相關(guān)avc denied的打印語句，復(fù)制到一個(gè)txt文件中，我這里取名為tee-supplicant.txt(因?yàn)槲艺诓僮鞯倪M(jìn)程是tee-supplicant)

avc: denied { read append } for comm="tee-supplicant" name="kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { read append } for comm="tee-supplicant" name="kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { syslog_read } for comm="tee-supplicant" scontext=u:r:tee-supplicant:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 avc: denied { syslog_read } for comm="tee-supplicant" scontext=u:r:tee-supplicant:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 avc: denied { getattr } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { getattr } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 ioctlcmd=0x5401 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/kmsg_debug" dev="tmpfs" ino=8780 ioctlcmd=0x5401 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:kmsg_debug_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { read write } for comm="tee-supplicant" name="mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { read write } for comm="tee-supplicant" name="mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 cant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { search } for comm="tee-supplicant" name="block" dev="tmpfs" ino=21511 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/sys/devices/platform/0.soc/34458000.sdhci/mmc_host/mmc1/mmc1:0001/cid" dev="sysfs" ino=44384 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 context=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for comm="tee-supplicant" name="mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/block/mmcblk1" dev="tmpfs" ino=24601 ioctlcmd=0xb300 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { sys_rawio } for comm="tee-supplicant" capability=17 scontext=u:r:tee-supplicant:s0 tcontext=u:r:tee-supplicant:s0 tclass=capability permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="tee-supplicant" path="/dev/mmcblk1rpmb" dev="tmpfs" ino=21735 ioctlcmd=0xb301 scontext=u:r:tee-supplicant:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

二、把這個(gè)tee-supplicant.txt文件，放到android源碼的路徑android/external/selinux/prebuilts/bin目錄下

android/external/selinux/prebuilts/bin$ ls audit2allow audit2why avc.te sediff sediff.py seinfo seinfo.py sesearch sesearch.py tee-supplicant.txt

三、執(zhí)行如下命令

./audit2allow -i tee-supplicant.txt > avc.te

四、查看avc.te
默認(rèn)打開發(fā)現(xiàn)是空的，有下面這么一句打印，提示需要執(zhí)行source lunch

ANDROID_HOST_OUT not set. Have you run lunch?

執(zhí)行一下source build/envsetup.sh lunch xxx后，再執(zhí)行audit2allow 命令就可以了，自動(dòng)生成的內(nèi)容如下：

#============= tee-supplicant ============== allow tee-supplicant block_device:blk_file { ioctl open read }; allow tee-supplicant block_device:dir search; allow tee-supplicant device:chr_file { ioctl open read write }; allow tee-supplicant kernel:system syslog_read; allow tee-supplicant kmsg_debug_device:chr_file { append getattr ioctl open read }; allow tee-supplicant self:capability sys_rawio; allow tee-supplicant sysfs:file open;

總結(jié)

以上是生活随笔為你收集整理的android audit2allow工具使用步骤的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： poj 1821 fence
下一篇：职业学校计算机主要学什么条件,职业学校计