Build AOSP custom rom

问题

I'm trying to build enforcing, but I had 7 violations. How can I fix?

libsepol.report_failure: neverallow on line 5 of device/motorola/sanders/sepolicy/vendor/ims.te (or line 75926 of
 policy.conf) violated by allow hal_camera_default hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow hal_secure_element_default hal_secure_element_hwservice:hwservice_man
ager { add };
libsepol.report_failure: neverallow on line 3 of device/motorola/sanders/sepolicy/vendor/hal_nfc_default.te (or l
ine 75741 of policy.conf) violated by allow rild hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_secure_element.te (or line 15685 of p
olicy.conf) violated by allow hal_nfc_default hal_secure_element_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_camera.te (or line 14186 of policy.co
nf) violated by allow init hal_camera_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 521 of system/sepolicy/public/domain.te (or line 10809 of policy.conf
) violated by allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 519 of system/sepolicy/public/domain.te (or line 10807 of policy.conf
) violated by allow qseeproxy default_android_service:service_manager { add };
libsepol.check_assertions: 7 neverallow failures occurred

回答1:

You are dealing with neverallow violations: You have a rule that says "Never allow type x to do action on some other type/class y:c" and then another rule that says "This subtype of x is allowed to do action on y:c". The SE Linux compiler will reject these contradictory rules. This can be solved by modifying the neverallow rule to make an exception for the specific subtype you want to allow.

More precisely, if you have rules of the form:

1. neverallow x y:c action;
2. type z, x; (meaning z is a special case of x)
3. allow z y:c action;

Modify the first rule to neverallow {x -z} y:class action; to make an exception for the subtype z.

Example:

1. Link: neverallow { domain ... -installd} staging_data_file:dir *; says objects of type domain should not be allowed to access objects of type staging_data_file and class dir. However, it makes an exception for type installd.

2. Link: type installd, domain; defines installd to be a special case of domain.

3. Link: allow installd staging_data_file:dir { open ... }; allows installd to do action open on objects of type staging_data_file and class dir.

来源：https://stackoverflow.com/questions/58210696/build-aosp-custom-rom