android AVC错误修改权限方法

• adb logcat日志报错：

init: avc: denied { set } for property=camera.gc02m1 scontext=u:r:mm-qcamerad:s0 tcontext=u:object_r:camera_prop:s0tclass=property_service

• SELinux的权限不足

标志性 log: avc: denied { 操作权限 } for pid=7201 comm=“进程名” scontext=u:r:源类型:s0 tcontext=u:r:目标类型:s0 tclass=访问类型 permissive=0

• 修改配置

由于scontext是mm-qcamerad

所以，找到mm-qcamerad.te文件路径/home/scooper/workspace/ljh/msm8909/device/qcom/sepolicy/common/mm-qcamerad.te

• 增加配置

allow mm-qcamerad camera_prop:property_service {set};

　一般添加权限的步骤：

adb shell

su

setenforce 0

exit //退出root用户

开一个终端adb shell logcat -b all|grep avc 抓avc权限

再开个终端去执行你要执行命令

示例：

 

03-31 03:02:45.563  3739  3739 I auditd  : type=1400 audit(0.0:158): avc: denied { search } for comm="sh" name="battery" dev="sysfs" ino=40646 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=dir permissive=1
03-31 03:02:45.563  3739  3739 I sh      : type=1400 audit(0.0:158): avc: denied { search } for name="battery" dev="sysfs" ino=40646 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=dir permissive=1
03-31 03:02:45.563  3739  3739 I auditd  : type=1400 audit(0.0:159): avc: denied { write } for comm="sh" name="input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1
03-31 03:02:45.563  3739  3739 I sh      : type=1400 audit(0.0:159): avc: denied { write } for name="input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1
03-31 03:02:45.563  3739  3739 I auditd  : type=1400 audit(0.0:160): avc: denied { open } for comm="sh" path="/sys/devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/battery/input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1
03-31 03:02:45.563  3739  3739 I sh      : type=1400 audit(0.0:160): avc: denied { open } for path="/sys/devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/battery/input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1


03-31 03:03:01.247  4128  4128 I auditd  : type=1400 audit(0.0:161): avc: denied { read } for comm="cat" name="input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1
03-31 03:03:01.247  4128  4128 I cat     : type=1400 audit(0.0:161): avc: denied { read } for name="input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1
03-31 03:03:01.247  4128  4128 I auditd  : type=1400 audit(0.0:162): avc: denied { open } for comm="cat" path="/sys/devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/battery/input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1
03-31 03:03:01.247  4128  4128 I cat     : type=1400 audit(0.0:162): avc: denied { open } for path="/sys/devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/battery/input_suspend" dev="sysfs" ino=40674 scontext=u:r:shell:s0 tcontext=u:object_r:vendor_sysfs_battery_supply:s0 tclass=file permissive=1


在shell.te中添加，一般在LA.UM.9.15.2.R1/device/qcom/sepolicy_vndr/generic/vendor/common/shell.te （scontext主体是shell，所以要在shell.te中添加）
allow shell vendor_sysfs_battery_supply:dir{ search};
allow shell vendor_sysfs_battery_supply:file{ open write read};