1e41f4b71Sopenharmony_ci# OpenHarmony SELinux FAQs
2e41f4b71Sopenharmony_ci
3e41f4b71Sopenharmony_ci## Error "neverallow check failed"
4e41f4b71Sopenharmony_ci**Symptom**
5e41f4b71Sopenharmony_ci
6e41f4b71Sopenharmony_ci"neverallow check failed" is reported during the SELinux compilation process.
7e41f4b71Sopenharmony_ci
8e41f4b71Sopenharmony_ci```
9e41f4b71Sopenharmony_cineverallow check failed at obj/base/security/selinux_adapter/updater/system.cil:3887 from ../../base/security/selinux_adapter/sepolicy/base/public/domain.te:96
10e41f4b71Sopenharmony_ci  (neverallow domain dev_parameters_file (file (write)))
11e41f4b71Sopenharmony_ci    <root>
12e41f4b71Sopenharmony_ci    allow at obj/base/security/selinux_adapter/updater/system.cil:14124
13e41f4b71Sopenharmony_ci      (allow init dev_parameters_file (file (write create relabelfrom relabelto)))
14e41f4b71Sopenharmony_ci```
15e41f4b71Sopenharmony_ci
16e41f4b71Sopenharmony_ci**Possible Causes**
17e41f4b71Sopenharmony_ci
18e41f4b71Sopenharmony_ciThe rule configured violates the existing **neverallow** rules.
19e41f4b71Sopenharmony_ci
20e41f4b71Sopenharmony_ci**Solution**
21e41f4b71Sopenharmony_ci
22e41f4b71Sopenharmony_ciCheck and modify the rule to avoid **neverallow** violation. If the rule must be configured based on service requirements, exempt the SELinux type of the rule in the **neverallow** rule. 
23e41f4b71Sopenharmony_ci
24e41f4b71Sopenharmony_ciExample:
25e41f4b71Sopenharmony_ci
26e41f4b71Sopenharmony_ciRule violating **neverallow**:
27e41f4b71Sopenharmony_ci
28e41f4b71Sopenharmony_ci```text
29e41f4b71Sopenharmony_ciallow init dev_parameters_file:file { write };
30e41f4b71Sopenharmony_ci```
31e41f4b71Sopenharmony_ci
32e41f4b71Sopenharmony_ciModify:
33e41f4b71Sopenharmony_ci
34e41f4b71Sopenharmony_ci```text
35e41f4b71Sopenharmony_cineverallow domain dev_parameters_file:file
36e41f4b71Sopenharmony_ci```
37e41f4b71Sopenharmony_ci
38e41f4b71Sopenharmony_ciTo:
39e41f4b71Sopenharmony_ci
40e41f4b71Sopenharmony_ci```text
41e41f4b71Sopenharmony_cineverallow { domain -init } dev_parameters_file:file write;
42e41f4b71Sopenharmony_ci```
43e41f4b71Sopenharmony_ci
44e41f4b71Sopenharmony_ci## Error "unrecognized character"
45e41f4b71Sopenharmony_ci
46e41f4b71Sopenharmony_ci**Symptom**
47e41f4b71Sopenharmony_ci
48e41f4b71Sopenharmony_ci"unrecognized character" is reported during the SELinux compilation process.
49e41f4b71Sopenharmony_ci
50e41f4b71Sopenharmony_ci```
51e41f4b71Sopenharmony_ci' on line 3350:rity/selinux_adapter/sepolicy/base/public/domain.te:16:ERROR 'unrecognized character' at token '
52e41f4b71Sopenharmony_ciallow domain init:process sigchld;
53e41f4b71Sopenharmony_ci```
54e41f4b71Sopenharmony_ci
55e41f4b71Sopenharmony_ci**Possible Causes**
56e41f4b71Sopenharmony_ci
57e41f4b71Sopenharmony_ciThe policy file is in DOS format.
58e41f4b71Sopenharmony_ci
59e41f4b71Sopenharmony_ci**Solution**
60e41f4b71Sopenharmony_ci
61e41f4b71Sopenharmony_ciRun the **dos2unix** command to convert the file into the correct format.
62e41f4b71Sopenharmony_ci```text
63e41f4b71Sopenharmony_cidos2unix ./sepolicy/base/public/domain.te
64e41f4b71Sopenharmony_ci```
65e41f4b71Sopenharmony_ci
66e41f4b71Sopenharmony_ci## Error "unknown type" 
67e41f4b71Sopenharmony_ci**Symptom**
68e41f4b71Sopenharmony_ci
69e41f4b71Sopenharmony_ci "unknown type" is reported during the SELinux compilation process.
70e41f4b71Sopenharmony_ci```
71e41f4b71Sopenharmony_ci../../base/security/selinux_adapter/sepolicy/ohos_policy/security/access_token/vendor/access_token.te:2:ERROR 'unknown type accesstoken_data_file' at token ';' on line 10334:
72e41f4b71Sopenharmony_ciallow accesstoken_service accesstoken_data_file:dir { search add_name open read write remove_name };
73e41f4b71Sopenharmony_ci#line 1 "../../base/security/selinux_adapter/sepolicy/ohos_policy/security/access_token/vendor/access_token.te"
74e41f4b71Sopenharmony_cicheckpolicy:  error(s) encountered while parsing configuration
75e41f4b71Sopenharmony_ci```
76e41f4b71Sopenharmony_ci
77e41f4b71Sopenharmony_ci**Possible Causes**
78e41f4b71Sopenharmony_ci
79e41f4b71Sopenharmony_ci1. The SELinux type is not defined.
80e41f4b71Sopenharmony_ci2. The SELinux type is invisible when the current rule is complied. For example, an SELinux type defined for a directory in **/system** is used by a directory in **/vendor**. When the chipset-related rules (in **/vendor**) are complied, only the rules in the **/vendor** and **/public** directories are traversed. Because the SELinux type is defined for a directory in the **/system** directory, "unknown type" is reported.
81e41f4b71Sopenharmony_ci
82e41f4b71Sopenharmony_ci**Solution**
83e41f4b71Sopenharmony_ci
84e41f4b71Sopenharmony_ci1. Check whether the SELinux type is defined. If not, define **type** in the following format:
85e41f4b71Sopenharmony_ci
86e41f4b71Sopenharmony_ci```text
87e41f4b71Sopenharmony_citype init, xxx
88e41f4b71Sopenharmony_ci```
89e41f4b71Sopenharmony_ci
90e41f4b71Sopenharmony_ci2. Check whether the SELinux type is invisible to the rule compiled. If yes, move the SELinux type to a directory visible to the rule. You are advised to define the SELinux types in a file named **type.te** in the **/public** directory.