Hello, I've been looking to flash a custom rom on my phone, but all the roms available are on SELinux Permissive.
From what I do understand, running permissive allows any apps to obtain root - without asking for your permission.
In theory, that sounds pretty dangerous. But how does it works in practice? Is it as dangerous as it sounds?
Should I continue to avoid these permissive roms due to the theortical security risk or just go for it?
Setting Android's SELinux mode to permissive by default is the most idiotic action you can perform on Android devices, IMO
its fine as long as you use the phone only for rooting and gaming
Guan Yu said:
its fine as long as you use the phone only for rooting and gaming
Click to expand...
Click to collapse
in what scenarios would it be considered not safe to leave it on permissive?
xXx yYy said:
Setting Android's SELinux mode to permissive by default is the most idiotic action you can perform on Android devices, IMO
Click to expand...
Click to collapse
I had that assumption too, but I think that I don't know enough to make that judgement
Related
I wanna know that can we make selinux mod to permissive for specific app through terminal or my using any other method I read about selinux in wiki but didn't got much details to do some tweaks and I am also not developer so that I don't know all codes used for this and that processes also I wanna set that specific permissive mod for "viper4android" app I want to use that app and also don't want to break out all doors of security by setting mod on permissive for all apps can anyone help me here plz !?
ChintanVyas said:
I wanna know that can we make selinux mod to permissive for specific app through terminal or my using any other method I read about selinux in wiki but didn't got much details to do some tweaks and I am also not developer so that I don't know all codes used for this and that processes also I wanna set that specific permissive mod for "viper4android" app
Click to expand...
Click to collapse
Sorry, you cannot do it for specific app..
SE Linux Enforcement has to be disabled universally throughout the system..
ChintanVyas said:
I want to use that app and also I don't want to break out all doors of security by setting mod on permissive for all apps can anyone help me here plz !?
Click to expand...
Click to collapse
Once your phone is rooted, it means it is vulnerable to all risks..
It just takes a single command (setenforce 0) for a malware app to set SE Linux to 'Permissive' if granted root permission.
So, it's just in your hands to select the right trustable apps.
Go ahead, and set it to 'Permissive'.
Nothing will happen..
I've read a dozen articles about SE Linux permissive and enforcing. I do know now that permissive allows everything and logs denials and enforcing blocks access denials.
But I wanted to know what kind of an impact it really does on Android especially on Marshmallow? What would be serious threats if it is permissive? Does it really matter?
Currently I want to use a kernel for my phone that works perfectly but does not allow enforcing as it resets to permissive. Now I'm not quite sure if I should stick to it when in my opinion enforcing is far more safe. However, I do not really know which is why I'm asking this right now.
Thanks in advance!
Macusercom said:
I've read a dozen articles about SE Linux permissive and enforcing. I do know now that permissive allows everything and logs denials and enforcing blocks access denials.
But I wanted to know what kind of an impact it really does on Android especially on Marshmallow? What would be serious threats if it is permissive? Does it really matter?
Currently I want to use a kernel for my phone that works perfectly but does not allow enforcing as it resets to permissive. Now I'm not quite sure if I should stick to it when in my opinion enforcing is far more safe. However, I do not really know which is why I'm asking this right now.
Thanks in advance!
Click to expand...
Click to collapse
can't impact alot and no it won't be serious (if) u knew what u are installing from apps ...if ur apps are basically from known deves or from google play nothing will happen to u and everything will run ok and safe for u ... almost all apps will behave as if the selinux is enabled when in permissive ....the true danger when u have ur kernel SE linux fully disabled
Bought an M9 two weeks ago ( just went over my buyer's remorse period so i own it now). Love the phone but why isn't there any kernel development on this device?
justthefacts said:
Bought an M9 two weeks ago ( just went over my buyer's remorse period so i own it now). Love the phone but why isn't there any kernel development on this device?
Click to expand...
Click to collapse
Because the sources they gave us break stock camera... The camera works but can't save photos taken.
Selinux is easy to set anyway.
Is there anyway to know the selinux state on this phone without using any apps? (rooted)
justthefacts said:
Is there anyway to know the selinux state on this phone without using any apps? (rooted)
Click to expand...
Click to collapse
'getenforce' command in terminal.
Use 'setenforce 0' for Permissive, 'setenforce 1' for Enforcing.
Setenforce requires su, getenforce does not.
ante0 said:
'getenforce' command in terminal.
Use 'setenforce 0' for Permissive, 'setenforce 1' for Enforcing.
Setenforce requires su, getenforce does not.
Click to expand...
Click to collapse
Do I have to do this on every boot?
justthefacts said:
Do I have to do this on every boot?
Click to expand...
Click to collapse
There are scripts/apps to set it automatically.
Here's one for example: https://forum.xda-developers.com/android/apps-games/app-selinux-switch-t3656502
ante0 said:
There are scripts/apps to set it automatically.
Here's one for example: https://forum.xda-developers.com/android/apps-games/app-selinux-switch-t3656502
Click to expand...
Click to collapse
Scripts don't stick and Selinux switch doesn't work all the time. Have there been any attempts on making Selinux permissive kernels?
justthefacts said:
Scripts don't stick and Selinux switch doesn't work all the time. Have there been any attempts on making Selinux permissive kernels?
Click to expand...
Click to collapse
There's no point if you want a working camera. As I said, Huaweis source breaks camera.
That said, making a kernel with selinux set to permissive is not hard. You can even use hexeditor to modify boot.img to always be permissive.
Check this post https://forum.xda-developers.com/showpost.php?p=59160364&postcount=23
ante0 said:
There's no point if you want a working camera. As I said, Huaweis source breaks camera.
That said, making a kernel with selinux set to permissive is not hard. You can even use hexeditor to modify boot.img to always be permissive.
Check this post https://forum.xda-developers.com/showpost.php?p=59160364&postcount=23
Click to expand...
Click to collapse
If I set selinux permissive in the kernel, would it mess up the camera?
justthefacts said:
If I set selinux permissive in the kernel, would it mess up the camera?
Click to expand...
Click to collapse
No. It's just broken in the source that Huawei released. Hacking it yourself on your firmwares boot image should keep camera intact (depending on your edits of course xD). Building kernel from source breaks the camera app regardless if you edit anything or not.
ante0 said:
No. It's just broken in the source that Huawei released. Hacking it yourself on your firmwares boot image should keep camera intact (depending on your edits of course xD). Building kernel from source breaks the camera app regardless if you edit anything or not.
Click to expand...
Click to collapse
So you can just edit the kennel to be permissive and all good? And no one has tried and reported?
This phone is almost a year old, 6 million users.
justthefacts said:
So you can just edit the kennel to be permissive and all good? And no one has tried and reported?
This phone is almost a year old, 6 million users.
Click to expand...
Click to collapse
What?
You can just edit it. I'm just saying that building a custom kernel from source is no good as it breaks camera. (this has nothing to do with selinux status)
Just edit and flash and you should be good to go.
Basically, a lot of ROMs I've downloaded come without the ability to switch SElinux to enforcing.
Which, apart from losing the ability to use Android Pay, is extremely unsafe from my understanding.
My question is why? Why does the device crash if you try to manually change it to enforcing? Why don't these devs release the ROM with SElinux on by default? Thanks
Dear XDA Community,
Sorry, this is a newbie question, but when I was asking for suggestions for a custom and also secure ROM, I was suggested Pixel Experience and I have also been told to set SELinux to permissive. What is the purpose of SELinux? Is there a guide on how to adjust it to the appropriate settings? Does it not come enabled as default? Thank you in advance.
jason.mix said:
Dear XDA Community,
Sorry, this is a newbie question, but when I was asking for suggestions for a custom and also secure ROM, I was suggested Pixel Experience and I have also been told to set SELinux to permissive. What is the purpose of SELinux? Is there a guide on how to adjust it to the appropriate settings? Does it not come enabled as default? Thank you in advance.
Click to expand...
Click to collapse
SELinux policy is a security feature built into your kernel. Android is set to "enforcing" by default, you have to manually switch to permissive. A lot of custom mods and root enabled apps require your device to be in permissive mode in order to work. A classic example that I've used many times is a mod called Viper4Android, it requires permissive mode in order for it to function. This is not the only example, there are many other apps and mods that require permissive mode. Your device must be rooted in order to use permissive mode.
There is nothing special about enabling this, you just need to look for a custom kernel for your specific model number that has permissive mode built into the kernel then install the kernel or you can find an app such as SELinux Switch/SELinux Toggle, but, I'm not sure if that app is supported any more, the developer that built it hasn't been active here in quite some time.
Sent from my SM-S767VL using Tapatalk
Droidriven said:
SELinux policy is a security feature built into your kernel. Android is set to "enforcing" by default, you have to manually switch to permissive.
Click to expand...
Click to collapse
Thank you for your response. Just to clarify, should I just leave it as it comes or should I always double check after flashing the custom ROM? And is there a guide on how to adjust this option appropriately or does it depend on the ROM? I came across this thread and it states that Pixel Experience is set to permissive automatically. What should I do? And do you have any other advice for what other precautions I should take in order to have that extra security when using a custom ROM? Once again, thank you.
jason.mix said:
Thank you for your response. Just to clarify, should I just leave it as it comes or should I always double check after flashing the custom ROM? And is there a guide on how to adjust this option appropriately or does it depend on the ROM? I came across this thread and it states that Pixel Experience is set to permissive automatically. What should I do? And do you have any other advice for what other precautions I should take in order to have that extra security when using a custom ROM? Once again, thank you.
Click to expand...
Click to collapse
If you are concerned with being secure, you need to leave the device in enforcing mode, not permissive. I'm not sure exactly how you would switch the Pixel ROM from permissive to enforcing, the ROM may have a setting or you may have to use the Kernel Auditor app to switch to enforcing mode.
If you are not going to be doing any kind of modification to the system partition, you won't need to worry with permissive mode.
If the Pixel ROM is permissive by default, you won't need to change anything.
I'm not sure you understand exactly how the "switch" between enforcing/permissive is achieved. It not simply a "setting" that you enable/disable.
Here are a few ways to enable permissive mode that I know of:
1) if your stock kernel does not support permissive mode, you have to flash a kernel that has permissive support.
2) if your stock kernel does support permissive mode but doesn't have permissive mode enabled, you have to use something like the "SELinux Switch" or "SELinux Toggle" apps, these apps force the stock kernel into permissive mode and can be set to automatically enable permissive mode whenever the device boots and persist from one reboot to the next.
3) it can be enabled via adb commands or adb shell commands via PC or, if you are rooted, you can use a terminal emulator app or the terminal emulator that is built into TWRP to issue commands to enable enforcing/permissive, whichever you need.
Sent from my SM-S767VL using Tapatalk
Droidriven said:
If you are concerned with being secure, you need to leave the device in enforcing mode, not permissive. I'm not sure exactly how you would switch the Pixel ROM from permissive to enforcing, the ROM may have a setting or you may have to use the Kernel Auditor app to switch to enforcing mode.
Click to expand...
Click to collapse
I am not planning on rooting or modifying my system in any way, but is there a way to check whether I am running in enforcing mode? I am still running MIUI for now and if it helps, my kernel version is 4.9 186-perf-g1e22c7b and if you need any more details then just let me know. Thank you for helping me out.
jason.mix said:
I am not planning on rooting or modifying my system in any way, but is there a way to check whether I am running in enforcing mode? I am still running MIUI for now and if it helps, my kernel version is 4.9 186-perf-g1e22c7b and if you need any more details then just let me know. Thank you for helping me out.
Click to expand...
Click to collapse
To check whether your device is set to enforcing/permissive, you should be able to look in system settings>about phone>SELinux Status
Or
system settings>about phone>software info>SELinux Status
Or something similar, the exact location of the info is different for different devices/android versions.
Sent from my SM-S767VL using Tapatalk