How to completely disable SELinux in Android L in the init.rc file?

android android-ndk android-5.0-lollipop android-4.4-kitkat selinux

29,739

Solution 1

After

setenforce 0

the enforce attribute will be Permissive imeddiately.

Solution 2

Instead of putting in init.rc you can make it permissive by adding some parameters to kernel command line (BOARD_KERNEL_CMDLINE)

Ex: Add enforcing=0 androidboot.selinux=permissive in device/<manufacturer>/<target>/BoardConfig.mk

Solution 3

Well I guess you could create a new domain policy for your "my_daemon". For example, you can create mydomain.te file at device/manufacturer/device-name/sepolicy/ of your AOSP, with the following contents,

# mydomain policy here
type mydomain, domain;
permissive mydomain;
type mydomain_exec, exec_type, file_type;

init_daemon_domain(mydomain)

Now Add the following line to device/manufacturer/device-name/sepolicy/file_contexts:

/system/bin/my_daemon   u:object_r:mydomain_exec:s0

Here is your init.rc file:

service my_daemon /system/bin/my_daemon
    class core

So the good thing here is that only mydomain will be permissive and rest of the system will be enforcing, thus you can have your daemon running without any problems and still maintaining the system security.

29,739

Author by

Redson

Updated on September 08, 2020

Comments

Redson almost 4 years
I want to disable SELinux at boot time for Android L or 5. The reason is because my daemon is not begin executed on boot when it should due to SELinux problems. I have the following in my init.rc file:
```
su 0 setenforce 0
service my_daemon /system/bin/my_daemon 
    class main     # Also tried: class core (but it didn't make a difference)
    user root
    group root
```
However, on boot, I use adb shell to check if SELinux is disabled (using getenforce) and it returns Enforcing. I want SELinux to be completely disabled on boot. If not completely disabled then at least Permissive.

Any suggestions?