Android系统关闭SElinux的方法

参考

After building my own boot image for the Android 6 based Razer Forge TV and patching adb to allow root I noticed that I still cannot access the /data directory:

root@pearlyn:/ # ls -l /data
opendir failed, Permission denied

root@pearlyn:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

adb logcat showed the following:

10-01 17:30:23.079  2427  2427 W sh      : type=1400 audit(0.0:30): avc: denied { dac_override } for capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0

So the problem is that despite being root, my SELinux context u:r:shell:s0 prevents me from doing all the things I want to.

Disabling SELinux

You can check if SELinux is enabled with getenforce:

root@pearlyn:/ # getenforce
Enforcing

I tried different things to disable SELinux, but all of them failed:

  • Modify kernel cmdline parameter in the boot image to disable SELinux:

    enforcing=0 androidboot.selinux=permissive
    
  • Disable SELinux in adb shell:

    setenforce permissive
    

    Adding this to the boot image's init.rc did also not help.

  • Disable some SELinux specific commands in the boot image's init.rc:

    setprop selinux.reload_policy 1
    restorecon_recursive /data
    
  • Give adbd root capabilities in init.rc by changing u:r:adbd:s0 to u:r:su:s0:

    service adbd /sbin/adbd --root_seclabel=u:r:su:s0
      seclabel u:r:su:s0
    

    In this case, I could not connect via adb anymore: connection refused, which means adbd could not start.

I could not access /data whatever I did.

User mode

Then I found out that SELinux cannot be disabled in user mode firmware builds! The Android documentation states:

SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:
adb shell setenforce 0

The Razer Forge TV firmware M-144 is a user build, though:

root@pearlyn:/ # getprop ro.build.type
user

There is no way to disable SELinux on user builds unless you build your own kernel and probably the SELinux library.

posted @ 2024-11-05 11:13  dolinux  阅读(255)  评论(0)    收藏  举报