Reference

• SELinux Project Wiki
• SE for Android
• Security Enhancements for Android
• Validating Security-Enhanced Linux in Android
• 2012 Red Hat Summit: SELinux For Mere Mortals

Projects

• external/sepolicy/README
• external/libselinux/
• external/libsepol/
• device/manufacturer/device-name/sepolicy

Control

• Permissive mode

1

androidboot.selinux=permissive

HowTo

1
2
3
4
5
6

# reload policy
adb remount && adb push sepolicy /data/security/
adb shell setprop selinux.reload_policy <0|1>
# toggle enforcing and permissive
adb shell setenforce <0|1|permissive|enforcing>
adb shell getenforce

Policy

The policy rules come in the form: allow domains types:classes permissions;, where:

• Domain - A label for the process or set of processes.
• Type - A label for the object (e.g. file, socket) or set of objects.
• Class - The kind of object (e.g. file, socket) being accessed.
• Permission - The operation (e.g. read, write) being performed.

And so an example use of this would follow the structure:

1

allow appdomain app_data_file:file rw_file_perms;