1# OpenHarmony SELinux FAQs 2 3## Error "neverallow check failed" 4**Symptom** 5 6"neverallow check failed" is reported during the SELinux compilation process. 7 8``` 9neverallow check failed at obj/base/security/selinux_adapter/updater/system.cil:3887 from ../../base/security/selinux_adapter/sepolicy/base/public/domain.te:96 10 (neverallow domain dev_parameters_file (file (write))) 11 <root> 12 allow at obj/base/security/selinux_adapter/updater/system.cil:14124 13 (allow init dev_parameters_file (file (write create relabelfrom relabelto))) 14``` 15 16**Possible Causes** 17 18The rule configured violates the existing **neverallow** rules. 19 20**Solution** 21 22Check and modify the rule to avoid **neverallow** violation. If the rule must be configured based on service requirements, exempt the SELinux type of the rule in the **neverallow** rule. 23 24Example: 25 26Rule violating **neverallow**: 27 28```text 29allow init dev_parameters_file:file { write }; 30``` 31 32Modify: 33 34```text 35neverallow domain dev_parameters_file:file 36``` 37 38To: 39 40```text 41neverallow { domain -init } dev_parameters_file:file write; 42``` 43 44## Error "unrecognized character" 45 46**Symptom** 47 48"unrecognized character" is reported during the SELinux compilation process. 49 50``` 51' on line 3350:rity/selinux_adapter/sepolicy/base/public/domain.te:16:ERROR 'unrecognized character' at token ' 52allow domain init:process sigchld; 53``` 54 55**Possible Causes** 56 57The policy file is in DOS format. 58 59**Solution** 60 61Run the **dos2unix** command to convert the file into the correct format. 62```text 63dos2unix ./sepolicy/base/public/domain.te 64``` 65 66## Error "unknown type" 67**Symptom** 68 69 "unknown type" is reported during the SELinux compilation process. 70``` 71../../base/security/selinux_adapter/sepolicy/ohos_policy/security/access_token/vendor/access_token.te:2:ERROR 'unknown type accesstoken_data_file' at token ';' on line 10334: 72allow accesstoken_service accesstoken_data_file:dir { search add_name open read write remove_name }; 73#line 1 "../../base/security/selinux_adapter/sepolicy/ohos_policy/security/access_token/vendor/access_token.te" 74checkpolicy: error(s) encountered while parsing configuration 75``` 76 77**Possible Causes** 78 791. The SELinux type is not defined. 802. The SELinux type is invisible when the current rule is complied. For example, an SELinux type defined for a directory in **/system** is used by a directory in **/vendor**. When the chipset-related rules (in **/vendor**) are complied, only the rules in the **/vendor** and **/public** directories are traversed. Because the SELinux type is defined for a directory in the **/system** directory, "unknown type" is reported. 81 82**Solution** 83 841. Check whether the SELinux type is defined. If not, define **type** in the following format: 85 86```text 87type init, xxx 88``` 89 902. Check whether the SELinux type is invisible to the rule compiled. If yes, move the SELinux type to a directory visible to the rule. You are advised to define the SELinux types in a file named **type.te** in the **/public** directory.