如何在init.rc文件中完全禁用Android L中的SELinux？

Question

I want to disable SELinux at boot time for Android L or 5. The reason is because my daemon is not begin executed on boot when it should due to SELinux problems. I have the following in my init.rc file:

su 0 setenforce 0
service my_daemon /system/bin/my_daemon 
    class main     # Also tried: class core (but it didn't make a difference)
    user root
    group root

However, on boot, I use adb shell to check if SELinux is disabled (using getenforce ) and it returns Enforcing . I want SELinux to be completely disabled on boot. If not completely disabled then at least Permissive .

Any suggestions?

Answer 1

Instead of putting in init.rc you can make it permissive by adding some parameters to kernel command line (BOARD_KERNEL_CMDLINE)

Ex: Add enforcing=0 androidboot.selinux=permissive in device/<manufacturer>/<target>/BoardConfig.mk

Answer 2

Well I guess you could create a new domain policy for your "my_daemon". For example, you can create mydomain.te file at device/manufacturer/device-name/sepolicy/ of your AOSP, with the following contents,

# mydomain policy here
type mydomain, domain;
permissive mydomain;
type mydomain_exec, exec_type, file_type;

init_daemon_domain(mydomain)

Now Add the following line to device/manufacturer/device-name/sepolicy/file_contexts:

/system/bin/my_daemon   u:object_r:mydomain_exec:s0

Here is your init.rc file:

service my_daemon /system/bin/my_daemon
    class core

So the good thing here is that only mydomain will be permissive and rest of the system will be enforcing, thus you can have your daemon running without any problems and still maintaining the system security.

Answer 3

After

setenforce 0

the enforce attribute will be Permissive imeddiately.