22

I'm the developer on a root-app for Android.

Sadly now on some devices/ROMs there is SELinux in enforce-mode and prevents some actions of my app.

Because this is a root-app, the users are granting me root-access!

Now, SELinux is blocking some of my actions and I need to find a solution for this.

I tried to temporary disable SELinux by

setenforce permissive -> no failure, but getenforce still returns "Enforcing"
echo 0 > /sys/fs/selinux/enforce -> no failure, but getenforce still returns "Enforcing"

I play with the idea to edit the sepolicy-file at runtime to allow the blocked commands and trigger a reload of it, but I'm neither sure if & how this could work, nor isn't it a good idea.

Who has some more tips or resources for me?

Breno Leitão
  • 3,487
  • 2
  • 19
  • 23
Martin L.
  • 3,006
  • 6
  • 36
  • 60
  • I thought the su daemon got around SELinux, as well as nosuid, by running in a different context entirely, no? What actions in particular are being blocked? – Delyan Oct 06 '13 at 10:36
  • I don't know how Chainfire did it with the SU. But in my case it's eg. `avc: denied { execstack } for pid=10971` and maybe more things after that :/ – Martin L. Oct 06 '13 at 10:38
  • Are you shipping `execstack` yourself? You do realize that whoever set up Enforcing mode might have locked down the `su` daemon/program till it's helpless in this case, right? – Delyan Oct 06 '13 at 10:59
  • I'm not very familiar with all those stuff, but SU is working on my device :) – Martin L. Oct 06 '13 at 11:06
  • What exactly are you running with su? It appears that something is running `execstack` (a fairly obscure piece of Linux history) and SELinux is stopping it. Post the full log, please. Does whatever you're running work from the shell? – Delyan Oct 06 '13 at 11:15
  • Hello Delyan, it's a large piece of code which is not written by me. It injects a shared-library via PTRACE into a running process. Therefor it's changing the stack of the target-process to trigger a dlopen of the shared-library. The ptrace itself works, but then the target-process is crashing due to an SEGV_ACCERR which is (I think) triggered by SELinux and the denied execstack. But really, it's over my knowledge what exactly happens. – Martin L. Oct 06 '13 at 11:20
  • It's the `execstack` call (to make the stack in the binary executable) that fails due to the SE policy. Sorry but this is too niche for me to help. – Delyan Oct 06 '13 at 11:25
  • Alright, but many thanks for taking the time :) – Martin L. Oct 06 '13 at 11:36

6 Answers6

13

You can use supolicy from the SuperSU app, see the link for a detailed description when and how it may be called.

In short:

  • Find out why something is blocked by SELinux by checking the audit messages, e.g. dmesg | grep "audit"
  • Create an allow ... rule that allows the blocked operation. They are similar (identical?) to 'allow' rules in SELinux *.te files.
  • Run supolicy --live "allow ..." in a root shell and check if the operation now succeeds. If not, extend your 'allow' rule(s). You can specify multiple 'allow' rules in a single supolicy call.

Note that supolicy is an expensive operation, so be sure to call it only once.

If you don't want to depend on Chainfire's SuperSU you may try sepolicy-inject. I did not test that myself.

Martin Gerczuk
  • 131
  • 1
  • 5
  • 1
    Hi and welcome. I would recommend you to expand on your answer in order to be more helpful and to attract more votes. – Wtower Nov 07 '15 at 17:59
  • 1
    Thanks for the hint. I added a rough description how to use `supolicy`. – Martin Gerczuk Nov 09 '15 at 14:54
  • 1
    I'd rather not trust root with a closed source binary, so I don't have SuperSU. I'd love to see what API calls that app is making. I'll try `setpolicy-inject` though. – Wyatt Ward Jun 23 '16 at 03:55
2

I have been trying to disable SELinux on Android 4.3 for a while now and this is what i came up with.

On Samsung S4 Android 4.3, setenforce 0 will change to Permissive mode.

On Samsung Note 3 Android 4.3, setenforce 0 will NOT change SELinux status.

I have tried Nexus 4 Android 4.3, however by default it is Permissive mode

user1546570
  • 287
  • 3
  • 13
  • You don't actually answer the question … – Matthias Urlichs Oct 18 '14 at 11:25
  • 2
    @MatthiasUrlichs he didn't? He gave a way to actively change SELinux enforcement at runtime. The OP suggested his issue was directly tied to this. I can confirm that the SELinux status will change when `setenforce` is run as root in CyanogenMod 11. – Kevin Mark Oct 29 '14 at 00:19
2

Edit build.prop file in the system folder on root (the very first directory), using a text editor search selinux

If you see something like enable_selinux=1 , change it to 0 , if it is to disable do it vice versa

changes will be applied after a reboot or a boot.

Similarly you can turn on / off multi user account, System updates. My devices manufacturer disabled System Updates.

27px
  • 430
  • 5
  • 16
1

If you have root access, run su 0 setenforce 0 to change to Permissive mode:

// Set SELinux to permissive
private static final String COMMAND = "su 0 setenforce 0"; 
try {
  Runtime.getRuntime().exec(COMMAND);
} catch (IOException e) {
  e.printStackTrace();
}
t1mz0r
  • 11
  • 1
  • Hi t1mz0r, thanks for the feedback. That's what I already did and mentioned in my initial request. user1546570 pointed out, that it sometimes works and sometimes not. Meanwhile I know it's not working on a few Samsung-devices. I curcimvented that issue here by programatically changing the policies at runtime and force them to be reloaded, instead of disabling the whole SELinux via setenforce. Now as Android 5 is on the roads, this might in general change - setenforce is at least working for the Nexus-devices. Cheers & kind regards – Martin L. Nov 24 '14 at 12:53
1

You can download the app name selinux mod changer. It's not on play store so you have download it from chrome or any other browser of your choice. App just need root permission so try it.

Herik
  • 11
  • 1
0

Add

androidboot.selinux=permissive

to your kernel boot arguments

Guerlando OCs
  • 1,886
  • 9
  • 61
  • 150