I'm the developer on a root -app for Android.
Sadly now on some devices/ROMs there is SELinux in enforce -mode and prevents some actions of my app.
Because this is a root-app, the users are granting me root-access!
Now, SELinux is blocking some of my actions and I need to find a solution for this.
I tried to temporary disable SELinux by
setenforce permissive -> no failure, but getenforce still returns "Enforcing"
echo 0 > /sys/fs/selinux/enforce -> no failure, but getenforce still returns "Enforcing"
I play with the idea to edit the sepolicy -file at runtime to allow the blocked commands and trigger a reload of it, but I'm neither sure if & how this could work, nor isn't it a good idea.
Who has some more tips or resources for me?
You can use supolicy
from the SuperSU app, see the link for a detailed description when and how it may be called.
In short:
dmesg | grep "audit"
dmesg | grep "audit"
allow ...
rule that allows the blocked operation. They are similar (identical?) to 'allow' rules in SELinux *.te files.supolicy --live "allow ..."
in a root shell and check if the operation now succeeds. If not, extend your 'allow' rule(s). You can specify multiple 'allow' rules in a single supolicy
call. Note that supolicy
is an expensive operation, so be sure to call it only once.
If you don't want to depend on Chainfire's SuperSU you may try sepolicy-inject
. I did not test that myself.
I have been trying to disable SELinux on Android 4.3 for a while now and this is what i came up with.
On Samsung S4 Android 4.3, setenforce 0
will change to Permissive
mode.
On Samsung Note 3 Android 4.3, setenforce 0
will NOT change SELinux status.
I have tried Nexus 4 Android 4.3, however by default it is Permissive
mode
Edit build.prop
file in the system folder on the very first directory, using a text editor search "selinux"
If you see something like enable_selinux=1 , change it to 0 , if it is to disable do it vice versa , changes will be applied after a reboot or a boot.
Similarly you can turn on / off multi user account , System updates.
My devices manufacturer disabled System Updates.
If you have root access, run su 0 setenforce 0
to change to Permissive
mode:
// Set SELinux to permissive
private static final String COMMAND = "su 0 setenforce 0";
try {
Runtime.getRuntime().exec(COMMAND);
} catch (IOException e) {
e.printStackTrace();
}
You can download the app name selinux mod changer. It's not on play store so you have download it from chrome or any other browser of your choice. App just need root permission so try it.
Add
androidboot.selinux=permissive
to your kernel boot arguments
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.