How to set SELinux to 0 or permissive mode in android 4.4.4 and above?
I want to set the SELinux (Security Enhanced Linux) mode to Permissive or (0) on android 4.4.4 (and above if possible). I use the following command: setenforce 0, setenforce permissive and setenforce Permissive under root (my device is rooted). But the output of getenforce is always Enforcing. Now I am exhausted with this problem.
Can any one give me a solution? Thanks in advance.
Answer
Depending on how your device was rooted and what Android ROM your running will determine how you can disable it. The first thing to try is:
adb shell su 0 setenforce 0
This is NOT the same as:
adb shell setenforce 0
The execute on su causes a domain transition from shell (which cannot setenforce) into the su domain (which can call setenforce). For instance, run:
$ adb shell id -Z
context=u:r:shell:s0
compared to:
$ adb shell su 0 id -Z
context=u:r:su:s0
This may fail for three reasons:
- You do not have the su executable
- The su executable has the wrong label
- The su domain rules were not compiled into the bootimage
To correct issue 2, you can (assuming adb is root):
adb remount
adb shell chcon /system/xbin/su u:object_r:su_exec:s0
This might fail, which will likely indicate issue 3. To fix issue 3, you need to recompile a boot.img that contains the su policy files. If you're compiling AOSP, just lunch a userdebug or eng variant of your device.
Another approach, would be to remove the functionality from init.c, and like issue 3, requires a recompile of the boot.img. Go into system/core/init/init.c (or .cpp) and remove all calls to security_setenforce().
Additionally, XDA has an application that may help automate this process and make it easier, however, I cannot speak to the quality of the application: http://www.xda-developers.com/easily-change-your-android-selinux-mode/