Temporary disable or modify SELinux on Android

Question

I'm the developer on a root -app for Android.

Sadly now on some devices/ROMs there is SELinux in enforce -mode and prevents some actions of my app.

Because this is a root-app, the users are granting me root-access!

Now, SELinux is blocking some of my actions and I need to find a solution for this.

I tried to temporary disable SELinux by

setenforce permissive -> no failure, but getenforce still returns "Enforcing"
echo 0 > /sys/fs/selinux/enforce -> no failure, but getenforce still returns "Enforcing"

I play with the idea to edit the sepolicy -file at runtime to allow the blocked commands and trigger a reload of it, but I'm neither sure if & how this could work, nor isn't it a good idea.

Who has some more tips or resources for me?

Answer 1

You can use supolicy from the SuperSU app, see the link for a detailed description when and how it may be called.

In short:

• Find out why something is blocked by SELinux by checking the audit messages, eg dmesg | grep "audit" dmesg | grep "audit"
• Create an allow ... rule that allows the blocked operation. They are similar (identical?) to 'allow' rules in SELinux *.te files.
• Run supolicy --live "allow ..." in a root shell and check if the operation now succeeds. If not, extend your 'allow' rule(s). You can specify multiple 'allow' rules in a single supolicy call.

Note that supolicy is an expensive operation, so be sure to call it only once.

If you don't want to depend on Chainfire's SuperSU you may try sepolicy-inject . I did not test that myself.

Answer 2

I have been trying to disable SELinux on Android 4.3 for a while now and this is what i came up with.

On Samsung S4 Android 4.3, setenforce 0 will change to Permissive mode.

On Samsung Note 3 Android 4.3, setenforce 0 will NOT change SELinux status.

I have tried Nexus 4 Android 4.3, however by default it is Permissive mode

Answer 3

Edit build.prop file in the system folder on the very first directory, using a text editor search "selinux"
If you see something like enable_selinux=1 , change it to 0 , if it is to disable do it vice versa , changes will be applied after a reboot or a boot.

Similarly you can turn on / off multi user account , System updates.

My devices manufacturer disabled System Updates.

Answer 4

If you have root access, run su 0 setenforce 0 to change to Permissive mode:

// Set SELinux to permissive
private static final String COMMAND = "su 0 setenforce 0"; 
try {
  Runtime.getRuntime().exec(COMMAND);
} catch (IOException e) {
  e.printStackTrace();
}

Answer 5

You can download the app name selinux mod changer. It's not on play store so you have download it from chrome or any other browser of your choice. App just need root permission so try it.

Answer 6

Add

androidboot.selinux=permissive

to your kernel boot arguments