Hi! What is the difference between Enforcing and Permissive? and what is the best?
It's security stuff.
Some apps don't work well while it's set to enforcing (basically it means it's on), so having it set to permissive may be better.
If you're concerned about security, then leave it enforcing.
This wiki page may be useful: https://en.m.wikipedia.org/wiki/Security-Enhanced_Linux
Related
I would like to write and add my own policy for my GS4 to enforce an app. It's shipped with SELinux in permissive mode by default, so I put it into enforcing mode ('enforcing=true' in init.rc, and flash), and rebuild the kernel from source to enable the AVC logging, for debugging purposes.
I only have the the samsung compiled policy: /sepolicy, Samsung doesn't give the policy source code.
So the question is: What is the right way to add my own rules to the samsung policy ?
Here are some of my (bad) ideas:
1- Decompile the samsung sepolicy, add my own rules for my new app, and recompile all.
2- Add SElinux binaries tools (i.e. semodule) on the device, and link my policy.pp on it.
Any suggestions, ideas ?
Up + more info.
Samsung is not using the per-app MLS category support from SELinux-project sample policy but are instead only using MLS categories for their container implementation.
As far as I know, there aren't any decompilation tools available, just some debug tools that can give you an idea of what the policies do (ie. it can't create pp, te, or fc files). Those tools seem to be broken right now too. They don't work for the policies on my Fedora 18 installation nor do they work on the files from the Galaxy S4 firmware.
I think you'll have better luck with semodule. It's a pain to compile glibc, libselinux, etc. for Android, so it might be better to set up an Ubuntu chroot to use the SELinux tools.
One more (bad) idea would be to compile the policy on a Fedora system, record the data being written to /sys/fs/selinux, and load your policy. Then you could create a simple script that writes the same data to Android's sysfs. I'm not sure how exactly to record the writes though (maybe aufs/overlayfs mounted at /sys/fs/selinux).
Just some ideas...not sure if they're useful
Is there no way to get the samsung policy files? I that case, it wouldn't be possible to build a vendor platform anymore, escpecially not with selinux enforced.
Is it possible to disable selinux on the GS4? I succeed to switch to enforce mode ('enforcing = true' in init.rc, and flash), it works well. But when I want to completely disable SELinux (via kernel configuration) Sound (and other stuff) don't work.
Is it a protection made by Samsung to keep SELinux (in enforcing or permissif mode) ?
I try with GT-I9505_JB_Opensource_Update1.zip, and GT-I9505_JB_Opensource_Update2.zip.
Thanks,
Does someone has some informations ?
Thanks you !
Hello,
I'm developing an application that uses an external usb webcam. Times before i used a galaxy S3 for testing and everything work ok. But i had to change the phone because need more power so im trying now with a LG G2 (D802) with android lollipop stock (rooted).
With this stock android 5.0.2 SELinux state is set to enforcing and have a lot of denials trying to use cameras. I tried to change state manually due devide is rooted with commands "su setenforcing 0" and "su system setenforcing 0". The first seems to do nothing and with the second i get an error: "Could not set enforcing status: Permission denied".
I tried also with selinuxmodechanger and get notification of the change but still getting denials.
I can't check actual status because can't found SELinux state in "about phone" like in others devices. But errors show a tag named permissive and has value 1. I think should be 0...
I attached a image of logcat with the error.
Any help i really appreciate.
Thanks.
I found that the problem is not related with SELinux state.
SELinux state is already permissive, but, i read on chainfire web that warnings about avc denials still appearing in logcat even when enforcing is disabled and are not blocking anything actually.
The problem seems to be a bug in usb libraries when using otg usb 1. I read on dmesg log that an allocation bandwith on usb bus for the camera is failling on initialization (Not enough bandwith to allocate altsetting 5 2048B/frame). So, i solve this problem using a usb 2.0 otg hub.
I think this can be helpful for someone.
thanks
Current status of my Note 3
Root,Unlocked bootloader,twrp recovery and the firmware is OF1.
The reason I think I need permissive mode is because I am having problems with trying to get linux deploy to work.
From reading some posts I have gathered that selinux might be the problem.
To get into permissive mode I need to replace the kernel I think, how is permissive mode done ?
thank you.
The phantomOne kernel ("hlte-vzw" version) seems to be permissive. You can use it with the AryaMod ROM if you like.*
There are kernel build-time configuration option(s) determining whether SELinux is (a) disabled, (b) alterable by kernel boot arguments (or post-boot changes), or (c) permanently enabled and immutable, and finally (d) either permissive or enforcing. In the case of (b) the default (absent a kernel boot command line argument) could be either permissive or enforcing.
Some of the above combinations are not used in practice - e.g. it makes little sense to be immutable and permissive.
In any event, you would have to see the kernel build configuration files to know what the exact setup was (or the kernel has /proc/config.gz enabled).
Typically a vendor will use "permissive" as a stepping stone towards getting full-up immutable, enforcing SElinux running without problems: the kernel will issue violation warnings without enforcing the SElinux constraints, so that kernel logs can be used to diagnose improper setups of SElinux execution contexts (domains) and filesystem extended attributes on a live testing system.
* I'm on NC4 bootloader; ymmv.
W T F no write access to ext sd card as default ?
still poking about trying to figure out why the linux install script's dont work.
I have discovered that as a default programs or apps dont have the permissions to write to the extsdcard . The extsdcard is read only. I think that actually is my problem.
where do I look to perminatly change my permissions on my extsdcard to 777 for all users and groups.
does android have somthing like an fstab file or mounting options ??
If it's any encouragement to you, I got the "Linux deploy" app to work on
AryaMod6.6 + phantomOne kernel (permissive SELinux).
I had similar troubles creating the initial container on the /sdcard, and I'm pretty sure that was just operator error because the interface is not intuitive and of course I completely failed to RTFM. So, maybe the container creation issue has nothing to do with SELinux at all.
Useful hint: with a default "linux" (==debian jessie ARM) profile container, the default username for all the services (httpd, sshd, vnc) is "android", and the initial passwords are found in two different places: under the "Settings" menu pick for httpd and telnetd, and under the little "inbox" icon menu for the profile for sshd and vnc. I had to use "apt-get install tightvncserver" to get vncserver up and running from the ssh command line. ("sudo /bin/bash" first).
I had to log in to the phone via adb and do a " netstat -n -a | grep 'tcp.*LISTEN' " to convince myself the various servers were up. That helped a bunch. httpd on :5080, telnetd on :5023, vncserver on :5901.
good luck, I struggled with it.
What are you going to use this for? I suppose if you have access to a full native-ARM Linux environment, perhaps it is easier to build native tools against libc without the constraints of bionic and the NDK?
bftb0 said:
If it's any encouragement to you, I got the "Linux deploy" app to work on
AryaMod6.6 + phantomOne kernel (permissive SELinux).
I had similar troubles creating the initial container on the /sdcard, and I'm pretty sure that was just operator error because the interface is not intuitive and of course I completely failed to RTFM. So, maybe the container creation issue has nothing to do with SELinux at all.
<SNIP>
What are you going to use this for? I suppose if you have access to a full native-ARM Linux environment, perhaps it is easier to build native tools against libc without the constraints of bionic and the NDK?
Click to expand...
Click to collapse
What I am trying to do is explore just how well I can really use this brilliantly wonderful device as my main computer. I have good reasons for this but there all related to my personal circumstances and I won't bore you with the details, sufice it to say that I am now living in a electricity/power scarce inviroment and a cell phone is about as power efficient as I can get and have reasonably powerfull hardware.
I had considered sbc's like the Rasb. pi but there are none that even come close to the capabilities of this phone.
GPS,wifi,cellular,acceleromiter etc.
In an Ideal world I could wipe android fully from the phone and load a distro of linux that fully supported all the hard ware of the note 3 giving me as fast and lean a computing enviroment to work with Or perhaps a duel boot configuration like grub boot either android or linux.
Phantom kernel and lss works great ..been going back and forth with the latest international roms since there's not too much happening on our Verizon forum.
Sent from my SM-N930F using Tapatalk
New to the switchroot scene; Trust is reporting that SELinux is disabled & encryption is disabled.
What is the recommended (and latest/modern) way to resolve this to meet Safetynet check requirements?
Thank you.