Build Aosp Custom Rom

I'm trying to build enforcing, but I had 7 violations. How can I fix? libsepol.report_failure: neverallow on line 5 of device/motorola/sanders/sepolicy/vendor/ims.te (or line 75926

Solution 1:

You are dealing with neverallow violations: You have a rule that says "Never allow type x to do action on some other type/class y:c" and then another rule that says "This subtype of x is allowed to do action on y:c". The SE Linux compiler will reject these contradictory rules. This can be solved by modifying the neverallow rule to make an exception for the specific subtype you want to allow.

More precisely, if you have rules of the form:

1. neverallow x y:c action;
2. type z, x; (meaning z is a special case of x)
3. allow z y:c action;

Modify the first rule to neverallow {x -z} y:class action; to make an exception for the subtype z.

Example:

1. Link: neverallow { domain ... -installd} staging_data_file:dir *; says objects of type domain should not be allowed to access objects of type staging_data_file and class dir. However, it makes an exception for type installd.

2. Link: type installd, domain; defines installd to be a special case of domain.

3. Link: allow installd staging_data_file:dir { open ... }; allows installd to do action open on objects of type staging_data_file and class dir.