Android 4.2 introduced SELinux enabled by default on kernel

Question

1. As I have understood correctly, Android 4.2 introduced SELinux enabled by default on kernel. am I right? Is there anyway to disable it?

There are some of the apps might not work correctly.

Ex. Use mount command system wide stopped working

1. Is there anyway to disable it ? I check on VZW Galaxy Nexus - build JDQ39 - I am not sure what is the Linux version - Either SELinux or Linux.

2. What is the benefit of using SELinux VS Linux on android device.

Regards,

Answer 1

to be correct SELinux is enabled in 4.4 only for specific process: "In Android 4.3, SELinux was fully permissive. In Android 4.4, SELinux was made enforcing for the domains for several root processes: installd, netd, vold and zygote. All other processes, including other services and all apps, remain in permissive mode to allow further evaluation and prevent failures in Android 4.4. Still, an errant application could trigger an action in a root process that is not allowed, thereby causing the process or the application to crash."

Answer 2

If you rooted your device, you can hook it up your computer and simply do a

adb shell
su
setenforce 0

to disable SELinux. There are also other ways to disable it, some of them include writing 0 to some /dev/... or /sys/... device.

On most devices, it's only the locally installed mount command that won't allow you to do any mounts. Often this can be fixed by using busybox. Simply install busybox, or push it to a local directory and call busybox mount -o remount,rw /system as an example to remount the system read writable.

Answer 3

The SE Android is the Android that is built on SE Linux. This SE Android can be in one of the three states namely : Permissive, Enforcing and Disabled.

By default the Android kernel may be built on SE Linux for 4.2 but it is in Permissive mode by default. It is in Enforcing mode from 4.4 onwards. And since it is permissive, it is as good as disabled except that the AVC logs would be recorded.

You can check the mode of the SE Android through adb. just enter the command getenforce at the adb shell and you should get one of the above mentioned states. If the state is either Permissive or Disabled then SE Android is not the cause of the your issue.

Also for the benefit of using SE Linux over Linux, there are many. Most important is the usage of the MAC in addition to DAC. You can refer to this and can go to the Section where it explains how using SE Android can enhance the security in Android and can mitigate many exploits that have occurred before.

Answer 4

It is possible to bypass the mount issue.

The trick is to use adb on the device itself to connect locally to the device and issue the mount command through that. When running in adb you seem to get out of whatever jail prevents mount from working in apps. I don't think it's SELinux releated, it seems to have something to do with multiuser security and apparently lives mostly in the Android api's rather than at the kernel level (console apps should access the mounts fine).

With 4.2.2 it's a bit harder as you now need a key setup for adb.

Have a look here, it's for the Nexus 10 but the basic principles should work on anything.

Answer 5

No, it isn't enabled by default. There really isn't such a thing as enabled by default on Android, each handset manufacturer sets the configuration and makes modifications when they make a new device. Even if AOSP had it enabled by default in their kernels (which it doesn't) manufacturers would have to enable it in their kernels.

SELinux is Linux, with mandatory access controls. Please read up on SELinux.

Even devices that will ship with SE Android (SELinux + Android middleware MAC) soon (e.g., the Galaxy S IV) has it in permissive mode by default. You'd need an MDM client to set it to enforcing.