How to set SELinux to 0 or permissive mode in android 4.4.4 and above?

Question

I want to set the SELinux (Security Enhanced Linux) mode to Permissive or (0) on android 4.4.4 (and above if possible). I use the following command: setenforce 0

Answer 1

MUST BE ROOTED! Not sure if this works on KitKat (it should) but I use this on my Nexus 6. Run following in terminal or ADB Shell:

su
mount -o remount,rw /system
mkdir /system/su.d
echo "#!/system/bin/sh" > /system/su.d/permissive.sh
echo "echo 0 > /sys/fs/selinux/enforce" >> /system/su.d/permissive.sh
chmod 755 /system/su.d/permissive.sh

And check it after reboot by this:

su
/system/bin/getenforce

Answer 2

Depending on how your device was rooted and what Android ROM your running will determine how you can disable it. The first thing to try is:

adb shell su 0 setenforce 0

This is NOT the same as:

adb shell setenforce 0

The execute on su causes a domain transition from shell (which cannot setenforce) into the su domain (which can call setenforce). For instance, run:

$ adb shell id -Z
context=u:r:shell:s0

compared to:

$ adb shell su 0 id -Z
context=u:r:su:s0

This may fail for three reasons:

1. You do not have the su executable
2. The su executable has the wrong label
3. The su domain rules were not compiled into the bootimage

To correct issue 2, you can (assuming adb is root):

adb remount
adb shell chcon /system/xbin/su u:object_r:su_exec:s0

This might fail, which will likely indicate issue 3. To fix issue 3, you need to recompile a boot.img that contains the su policy files. If you're compiling AOSP, just lunch a userdebug or eng variant of your device.

Another approach, would be to remove the functionality from init.c, and like issue 3, requires a recompile of the boot.img. Go into system/core/init/init.c (or .cpp) and remove all calls to security_setenforce().

Additionally, XDA has an application that may help automate this process and make it easier, however, I cannot speak to the quality of the application: http://www.xda-developers.com/easily-change-your-android-selinux-mode/

Answer 3

Apparently Google has removed the CONFIG_SECURITY_SELINUX_DEVELOP kernel flag from many of their Stock kernels. Thus the standard trick mentioned by William (below) probably doesn't work. An example of these devices is the Samsung Note 4 (SM-N910F) running AOS 4.4.4.

The link above states:

CONFIG_SECURITY_SELINUX_DEVELOP aka global permissive mode, is useful for when you are first developing device-specific policy for a board (add 'androidboot.selinux=permissive' to BOARD_KERNEL_CMDLINE). It also permits transient setenforce 0 in -userdebug or -eng builds, which can be helpful for developers.

If the bootloader is locked, then you can't modify the kernel cmdline

"Also, the code in the init program for processing the androidboot.selinux= option is only compiled in -userdebug and -eng builds, so even aside from bootloader locking, you cannot use androidboot.selinux=permissive on a -user build."

The way to check what build type you have is:

$ getprop ro.build.type
user