Reputation: 2140
How to completely disable SELinux in Android L in the init.rc file?
I want to disable SELinux at boot time for Android L or 5. The reason is because my daemon is not begin executed on boot when it should due to SELinux problems. I have the following in my init.rc file:
su 0 setenforce 0
service my_daemon /system/bin/my_daemon
class main # Also tried: class core (but it didn't make a difference)
user root
group root
However, on boot, I use adb shell to check if SELinux is disabled (using getenforce) and it returns Enforcing. I want SELinux to be completely disabled on boot. If not completely disabled then at least Permissive.
Any suggestions?
Upvotes: 12
Views: 43933
Answers (5)
Reputation: 287
If you want to completely disable SElinux, you need to change the selinux.cpp functions placed at system/core/init. Two functions StatusFromProperty() and IsEnforcing() set the status of the SElinux which are called in different units. If you change the value of return for both as SELINUX_PERMISSIVE and false, the SElinux status always will be permissive. Please see this answer related to this post here. This also works for user type builds.
Upvotes: 0
Reputation: 31108
Disabling SElinux only works on userdebug or eng builds, not on standard user builds:
Caution: Permissive mode is not supported on production devices. CTS tests confirm enforcing mode is enabled.
SELinux enforcement can be disabled via ADB on userdebug or eng builds.
Also see https://stackoverflow.com/a/32660547/282601
Upvotes: 0
Reputation: 61
Well I guess you could create a new domain policy for your "my_daemon". For example, you can create mydomain.te file at device/manufacturer/device-name/sepolicy/ of your AOSP, with the following contents,
# mydomain policy here
type mydomain, domain;
permissive mydomain;
type mydomain_exec, exec_type, file_type;
init_daemon_domain(mydomain)
Now Add the following line to device/manufacturer/device-name/sepolicy/file_contexts:
/system/bin/my_daemon u:object_r:mydomain_exec:s0
Here is your init.rc file:
service my_daemon /system/bin/my_daemon
class core
So the good thing here is that only mydomain will be permissive and rest of the system will be enforcing, thus you can have your daemon running without any problems and still maintaining the system security.
Upvotes: 6
Reputation: 358
Instead of putting in init.rc you can make it permissive by adding some parameters to kernel command line (BOARD_KERNEL_CMDLINE)
Ex: Add enforcing=0 androidboot.selinux=permissive in device/<manufacturer>/<target>/BoardConfig.mk
Upvotes: 6
Reputation: 300
After
setenforce 0
the enforce attribute will be Permissive imeddiately.
Upvotes: 0
Related Questions
- Temporary disable or modify SELinux on Android
- Read SELinux in Android device
- How to set SELinux to 0 or permissive mode in android 4.4.4 and above?
- Android selinux Customization under Android P
- Executing a native File from init.rc in Android
- Add "allow" rule for selinux (Android)
- How to disable SELinux competely in android
- Fix Android SELinux rules
- Disabling SELinux in Android 5.0.1
- Android 4.2 introduced SELinux enabled by default on kernel