New to the switchroot scene; Trust is reporting that SELinux is disabled & encryption is disabled.
What is the recommended (and latest/modern) way to resolve this to meet Safetynet check requirements?
Thank you.
Related
I would like to write and add my own policy for my GS4 to enforce an app. It's shipped with SELinux in permissive mode by default, so I put it into enforcing mode ('enforcing=true' in init.rc, and flash), and rebuild the kernel from source to enable the AVC logging, for debugging purposes.
I only have the the samsung compiled policy: /sepolicy, Samsung doesn't give the policy source code.
So the question is: What is the right way to add my own rules to the samsung policy ?
Here are some of my (bad) ideas:
1- Decompile the samsung sepolicy, add my own rules for my new app, and recompile all.
2- Add SElinux binaries tools (i.e. semodule) on the device, and link my policy.pp on it.
Any suggestions, ideas ?
Up + more info.
Samsung is not using the per-app MLS category support from SELinux-project sample policy but are instead only using MLS categories for their container implementation.
As far as I know, there aren't any decompilation tools available, just some debug tools that can give you an idea of what the policies do (ie. it can't create pp, te, or fc files). Those tools seem to be broken right now too. They don't work for the policies on my Fedora 18 installation nor do they work on the files from the Galaxy S4 firmware.
I think you'll have better luck with semodule. It's a pain to compile glibc, libselinux, etc. for Android, so it might be better to set up an Ubuntu chroot to use the SELinux tools.
One more (bad) idea would be to compile the policy on a Fedora system, record the data being written to /sys/fs/selinux, and load your policy. Then you could create a simple script that writes the same data to Android's sysfs. I'm not sure how exactly to record the writes though (maybe aufs/overlayfs mounted at /sys/fs/selinux).
Just some ideas...not sure if they're useful
Is there no way to get the samsung policy files? I that case, it wouldn't be possible to build a vendor platform anymore, escpecially not with selinux enforced.
Is it possible to disable selinux on the GS4? I succeed to switch to enforce mode ('enforcing = true' in init.rc, and flash), it works well. But when I want to completely disable SELinux (via kernel configuration) Sound (and other stuff) don't work.
Is it a protection made by Samsung to keep SELinux (in enforcing or permissif mode) ?
I try with GT-I9505_JB_Opensource_Update1.zip, and GT-I9505_JB_Opensource_Update2.zip.
Thanks,
Does someone has some informations ?
Thanks you !
Hello,
I'm developing an application that uses an external usb webcam. Times before i used a galaxy S3 for testing and everything work ok. But i had to change the phone because need more power so im trying now with a LG G2 (D802) with android lollipop stock (rooted).
With this stock android 5.0.2 SELinux state is set to enforcing and have a lot of denials trying to use cameras. I tried to change state manually due devide is rooted with commands "su setenforcing 0" and "su system setenforcing 0". The first seems to do nothing and with the second i get an error: "Could not set enforcing status: Permission denied".
I tried also with selinuxmodechanger and get notification of the change but still getting denials.
I can't check actual status because can't found SELinux state in "about phone" like in others devices. But errors show a tag named permissive and has value 1. I think should be 0...
I attached a image of logcat with the error.
Any help i really appreciate.
Thanks.
I found that the problem is not related with SELinux state.
SELinux state is already permissive, but, i read on chainfire web that warnings about avc denials still appearing in logcat even when enforcing is disabled and are not blocking anything actually.
The problem seems to be a bug in usb libraries when using otg usb 1. I read on dmesg log that an allocation bandwith on usb bus for the camera is failling on initialization (Not enough bandwith to allocate altsetting 5 2048B/frame). So, i solve this problem using a usb 2.0 otg hub.
I think this can be helpful for someone.
thanks
Hi! What is the difference between Enforcing and Permissive? and what is the best?
It's security stuff.
Some apps don't work well while it's set to enforcing (basically it means it's on), so having it set to permissive may be better.
If you're concerned about security, then leave it enforcing.
This wiki page may be useful: https://en.m.wikipedia.org/wiki/Security-Enhanced_Linux
MutantKernel v2
LZ4 Compression
Disabled KNOX & TIMA
One click SELinux status change through OKM
TCP Algorithms
Working S-Health
Disabled CRCs (30% performance boost)
Enable NTFS support
Disabled Forced File Encryption
Disabled Secure Storage
Disabled DM_VERITY
Fake knox 0x0
Enable F2FS support
ADB FIXED & Logcat Working at boot
Status: Stable
Current Stable Version: v2
Kernel version: 3.18.14
Google disk | MEGA
Does this work on y variant?