[Q] 'Correct' way to compile a permissive SELinux kernel? topic
As the title suggests, I'm attempting to compile a (Lollipop) Nexus 5 kernel with SELinux in permissive mode by default. For reference, I am using the msm kernel source tree at commit 8a80a0e.
I have managed to accomplish this by modifying msm/security/selinux/selinuxfs.c and inserting new_value = 0; into sel_write_enforce to prevent the mode being changed:
This method, however, doesn't seem particularly good, as it relies on the intricacies of the specific implementation of SELinux used in this kernel, and prevents the mode being changed later.
This post suggests changing the CONFIG_ALWAYS_ENFORCE flag for a Samsung device, however the Nexus 5 kernel does not appear to have such an option. Setting the default state of SELinux using various menuconfig options and kernel command line parameters does not appear to have any effect, and disabling it entirely causes the device to crash after boot, before any logcat output is produced.
I have noticed than when started with a kernel with SELinux enabled, one of the first messages from logcat is from auditd, of the form enforcing=1 old_enforcing=0 auid=... ses=..., indicating that something is setting the SELinux mode to enforcing almost immediately after boot.
Thus, I am wondering if anyone knows where this command to set SELinux to enforcing comes from, how to disable it, or another way to compile a kernel with SELinux set to permissive?
I have managed to accomplish this by modifying msm/security/selinux/selinuxfs.c and inserting new_value = 0; into sel_write_enforce to prevent the mode being changed:
Code:
length = -EINVAL;
if (sscanf(page, "%d", &new_value) != 1)
goto out;
new_value = 0; /* inserted this line */
if (new_value != selinux_enforcing) {
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"enforcing=%d old_enforcing=%d auid=%u ses=%u",This post suggests changing the CONFIG_ALWAYS_ENFORCE flag for a Samsung device, however the Nexus 5 kernel does not appear to have such an option. Setting the default state of SELinux using various menuconfig options and kernel command line parameters does not appear to have any effect, and disabling it entirely causes the device to crash after boot, before any logcat output is produced.
I have noticed than when started with a kernel with SELinux enabled, one of the first messages from logcat is from auditd, of the form enforcing=1 old_enforcing=0 auid=... ses=..., indicating that something is setting the SELinux mode to enforcing almost immediately after boot.
Thus, I am wondering if anyone knows where this command to set SELinux to enforcing comes from, how to disable it, or another way to compile a kernel with SELinux set to permissive?
xda-developers
- [Q] No IMEI and baseband anymore. So back to stock rom for repair! topic
- [Q] New to phone - on 24A rooted - where to go from here? topic
- Htc desire 816 official lollipop update video review topic
- [Q] Galaxy S6 Edge T-Mobile Unlock by SIM code topic
- How to roll back to KK topic
- What is this in Greenify settings topic
- [Q] How to update? topic
- [REQ] N900 Kernel With Permissive SELinux topic
- SELINUX mode topic
- Selinux mod topic
- How to correct the pink tint of the screen ? topic
- [Q] 'Correct' way to compile a permissive SELinux kernel? topic
- correct region? topic
- Where can I get kernel sources? topic
- [Q] Help with kitkat kernel topic
- [Q] different kernel in different phone topic
- [Q] Custom Kernel topic
- [Q] F2FS on CM12.1 nightlies + AK kernel topic
- [Q] can anyone compile a kernel with otg support topic
- [KERNEL] 5.1 modified kernel (Alpha) topic
0 commentaires:
Enregistrer un commentaire