Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set SELinux to 0 or permissive mode in android 4.4.4 and above?

I want to set the SELinux (Security Enhanced Linux) mode to Permissive or (0) on android 4.4.4 (and above if possible). I use the following command: setenforce 0, setenforce permissive and setenforce Permissive under root (my device is rooted). But the output of getenforce is always Enforcing. Now I am exhausted with this problem.

Can any one give me a solution? Thanks in advance.

like image 280
Vu Tran Avatar asked Jun 23 '15 09:06

Vu Tran


People also ask

How do I permanently change SELinux to permissive in Android?

Using the Kernel boot parameters at installation in SELinux. Similarly, we use the Kernel boot parameter at boot to change the SELinux mode to permissive permanently. In this case, we first edit the /etc/grub. conf file and add the option “selinux=1 enforcing=0” to the boot parameters.

How can I tell if SELinux is permissive Android?

To find out the current status of SELinux, issue the sudo sestatus command. Where STATUS is either enabled or disabled. Here, MODE is either disabled, permissive or enforcing. Another way of viewing the status of SELinux is to issue the getenforce command.


2 Answers

Depending on how your device was rooted and what Android ROM your running will determine how you can disable it. The first thing to try is:

adb shell su 0 setenforce 0

This is NOT the same as:

adb shell setenforce 0

The execute on su causes a domain transition from shell (which cannot setenforce) into the su domain (which can call setenforce). For instance, run:

$ adb shell id -Z
context=u:r:shell:s0

compared to:

$ adb shell su 0 id -Z
context=u:r:su:s0

This may fail for three reasons:

  1. You do not have the su executable
  2. The su executable has the wrong label
  3. The su domain rules were not compiled into the bootimage

To correct issue 2, you can (assuming adb is root):

adb remount
adb shell chcon /system/xbin/su u:object_r:su_exec:s0

This might fail, which will likely indicate issue 3. To fix issue 3, you need to recompile a boot.img that contains the su policy files. If you're compiling AOSP, just lunch a userdebug or eng variant of your device.

Another approach, would be to remove the functionality from init.c, and like issue 3, requires a recompile of the boot.img. Go into system/core/init/init.c (or .cpp) and remove all calls to security_setenforce().

Additionally, XDA has an application that may help automate this process and make it easier, however, I cannot speak to the quality of the application: http://www.xda-developers.com/easily-change-your-android-selinux-mode/

like image 51
William Roberts Avatar answered Oct 10 '22 11:10

William Roberts


Apparently Google has removed the CONFIG_SECURITY_SELINUX_DEVELOP kernel flag from many of their Stock kernels. Thus the standard trick mentioned by William (below) probably doesn't work. An example of these devices is the Samsung Note 4 (SM-N910F) running AOS 4.4.4.

The link above states:

CONFIG_SECURITY_SELINUX_DEVELOP aka global permissive mode, is useful for when you are first developing device-specific policy for a board (add 'androidboot.selinux=permissive' to BOARD_KERNEL_CMDLINE). It also permits transient setenforce 0 in -userdebug or -eng builds, which can be helpful for developers.

If the bootloader is locked, then you can't modify the kernel cmdline

"Also, the code in the init program for processing the androidboot.selinux= option is only compiled in -userdebug and -eng builds, so even aside from bootloader locking, you cannot use androidboot.selinux=permissive on a -user build."

The way to check what build type you have is:

$ getprop ro.build.type
user
like image 33
not2qubit Avatar answered Oct 10 '22 12:10

not2qubit