Temporary disable or modify SELinux on Android
I'm the developer on a root-app for Android.
Sadly now on some devices/ROMs there is SELinux in enforce-mode and prevents some actions of my app.
Because this is a root-app, the users are granting me root-access!
Now, SELinux is blocking some of my actions and I need to find a solution for this.
I tried to temporary disable SELinux by
setenforce permissive -> no failure, but getenforce still returns "Enforcing"
echo 0 > /sys/fs/selinux/enforce -> no failure, but getenforce still returns "Enforcing"
I play with the idea to edit the sepolicy-file at runtime to allow the blocked commands and trigger a reload of it, but I'm neither sure if & how this could work, nor isn't it a good idea.
Who has some more tips or resources for me?
Answer
You can use supolicy from the SuperSU app, see the link for a detailed description when and how it may be called.
In short:
- Find out why something is blocked by SELinux by checking the audit messages, e.g.
dmesg | grep "audit" - Create an
allow ...rule that allows the blocked operation. They are similar (identical?) to 'allow' rules in SELinux *.te files. - Run
supolicy --live "allow ..."in a root shell and check if the operation now succeeds. If not, extend your 'allow' rule(s). You can specify multiple 'allow' rules in a singlesupolicycall.
Note that supolicy is an expensive operation, so be sure to call it only once.
If you don't want to depend on Chainfire's SuperSU you may try sepolicy-inject. I did not test that myself.