问题
I have a rooted android device and I need to inject following policies into it:
sepolicy-inject -s init -t su -c process -p transition -l
sepolicy-inject -s su -t system_file -c file -p entrypoint -l
sepolicy-inject -s init -t su -c process -p rlimitinh -l
sepolicy-inject -s init -t su -c process -p siginh -l
sepolicy-inject -s su -t shell_exec -c file -p read -l
sepolicy-inject -s su -t shell_exec -c file -p execute -l
sepolicy-inject -s su -t shell_exec -c file -p getattr -l
sepolicy-inject -s su -t vendor_toolbox_exec -c file -p execute_no_trans -l
sepolicy-inject -s init -t su -c process -p noatsecure -l
sepolicy-inject -s su -t toolbox_exec -c file -p getattr -l
sepolicy-inject -s su -t toolbox_exec -c file -p execute -l
sepolicy-inject -s su -t system_file -c file -p execute_no_trans -l
sepolicy-inject -s su -t storage_file -c dir -p search -l
sepolicy-inject -s su -t storage_file -c lnk_file -p read -l
sepolicy-inject -s su -t tmpfs -c dir -p search -l
sepolicy-inject -s su -t mnt_user_file -c dir -p search -l
sepolicy-inject -s su -t mnt_user_file -c lnk_file -p read -l
sepolicy-inject -s su -t sdcardfs -c dir -p search -l
sepolicy-inject -s su -t sdcardfs -c file -p append -l
sepolicy-inject -s su -t toolbox_exec -c file -p read -l
sepolicy-inject -s su -t toolbox_exec -c file -p open -l
sepolicy-inject -s su -t sdcardfs -c file -p read -l
sepolicy-inject -s su -t sdcardfs -c file -p write -l
As you can see, I am using sepolicy-inject commands to inject the required policies. I am facing a problem where on reboot these policies not exists anymore.
As per my understanding the new policies are injected at /sys/fs/selinux/policy location and this is not persistent storage. Also, there is a file on root partition /sepolicy which contain these policy rules.
I found ./sepolicy in boot.img. I have a A/B partition device so, the ./sepolicy in boot.img is for recovery only.
Now, I am not able to understand how to inject the required policies permanently to the device because of following reason:
/sys/fs/selinux/policyand/sepolicyare not on permanent storage partition.boot.imgonly contain SELinux policies that are available on recovery only.
Please suggest how can I achieve my goal.
回答1:
"/sepolicy" is a ramdisk so it's temporarily. You can solve it by put that command in some "init" script that will run "sepolicy-inject ..." commands at bootup ;)
回答2:
just disable selinux by setting it to permissive
来源:https://stackoverflow.com/questions/57477794/how-to-inject-selinux-policies-permanently-in-android