I want to set the SELinux (Security Enhanced Linux) mode to Permissive or (0) on android 4.4.4 (and above if possible). I use the following command: setenforce 0
, setenforce permissive
and setenforce Permissive
under root (my device is rooted). But the output of getenforce
is always Enforcing
. Now I am exhausted with this problem.
Can any one give me a solution? Thanks in advance.
Using the Kernel boot parameters at installation in SELinux. Similarly, we use the Kernel boot parameter at boot to change the SELinux mode to permissive permanently. In this case, we first edit the /etc/grub. conf file and add the option “selinux=1 enforcing=0” to the boot parameters.
To find out the current status of SELinux, issue the sudo sestatus command. Where STATUS is either enabled or disabled. Here, MODE is either disabled, permissive or enforcing. Another way of viewing the status of SELinux is to issue the getenforce command.
Depending on how your device was rooted and what Android ROM your running will determine how you can disable it. The first thing to try is:
adb shell su 0 setenforce 0
This is NOT the same as:
adb shell setenforce 0
The execute on su causes a domain transition from shell (which cannot setenforce) into the su domain (which can call setenforce). For instance, run:
$ adb shell id -Z
context=u:r:shell:s0
compared to:
$ adb shell su 0 id -Z
context=u:r:su:s0
This may fail for three reasons:
To correct issue 2, you can (assuming adb is root):
adb remount
adb shell chcon /system/xbin/su u:object_r:su_exec:s0
This might fail, which will likely indicate issue 3. To fix issue 3, you need to recompile a boot.img that contains the su policy files. If you're compiling AOSP, just lunch a userdebug or eng variant of your device.
Another approach, would be to remove the functionality from init.c, and like issue 3, requires a recompile of the boot.img. Go into system/core/init/init.c (or .cpp) and remove all calls to security_setenforce().
Additionally, XDA has an application that may help automate this process and make it easier, however, I cannot speak to the quality of the application: http://www.xda-developers.com/easily-change-your-android-selinux-mode/
Apparently Google has removed the CONFIG_SECURITY_SELINUX_DEVELOP
kernel flag from many of their Stock kernels. Thus the standard trick mentioned by William (below) probably doesn't work. An example of these devices is the Samsung Note 4 (SM-N910F) running AOS 4.4.4.
The link above states:
CONFIG_SECURITY_SELINUX_DEVELOP aka global permissive mode, is useful for when you are first developing device-specific policy for a board (add 'androidboot.selinux=permissive' to BOARD_KERNEL_CMDLINE). It also permits transient setenforce 0 in -userdebug or -eng builds, which can be helpful for developers.
If the bootloader is locked, then you can't modify the kernel cmdline
"Also, the code in the init program for processing the
androidboot.selinux=
option is only compiled in -userdebug
and -eng
builds, so even aside from bootloader locking, you cannot use
androidboot.selinux=permissive
on a -user
build."
The way to check what build type you have is:
$ getprop ro.build.type
user
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With