2

I have a Samsung note 2014 which I rooted following this tutorial. However I now have problems with SELinux which (apparently) is preventing me from installing a Linux virtual box. I backed up and uninstalled KNOX using Titanium backup but still no success. When I type setenforce permissive in a terminal, if get no error message but when I type getenforce, I get "enforcing".

Is there any way I can change this? The device is running Android 4.3.

Reza
  • 169
  • 1
  • 1
  • 12
  • Have you 0x1 Knox flag? Have you installed any ROMs in the meantime? You have uninstalled the KNOX APP, but that doesn't have an effect on this. Have you flashed a custom Kernel with SEPermissive set on it? You could try the app recommended here: http://techbeasts.com/2014/02/25/how-to-disable-selinux-on-a-rooted-android-device/ but I'm doubtful to be honest. – RossC Mar 03 '14 at 13:01
  • I think I have the 0x1 flah because I can't get new updates. And not I've not flashed any ROMs. Should I go for Cyanogenmod? – Reza Mar 03 '14 at 13:51
  • Up to you what ROM to use, but I would not recommend CyanogenMod outside of a STABLE release, there are numerous known bugs in nightlies! It's all preference, try a few and see what you like. Don't forget BACKUPS! :) – RossC Mar 03 '14 at 14:15

3 Answers3

1

Getting around Militant SELINUX

You need to run a custom kernel build.

  1. Samsung open source is here
  2. My harvested info for setting up your build system for Linux is here
  3. The kernel patch you will need to fix SElinux to permissive is here. It should absolutely work for Kitkat source as well.

I would post the diff but it doesn't wrap right.

You should not need to set the SElinux boot flag and userspace disable options during menuconfig, but do remember to disable Samsung anti-root in the kernel hacking section.

moonbutt74
  • 683
  • 5
  • 14
  • The 3 step, it's link is dead, it leads to a 404 error on github, can you please either elaborate on what it was doing or post a new link. – Matt07211 Oct 31 '16 at 08:18
  • You should have posted the diff. Link is dead as mentioned by @Matt07211. – Marc.2377 Apr 12 '19 at 03:08
  • @Marc.2377 if my memory servers me correctly (figured out how to myself at a latter point) it was a simple 1 line/1 value change in the selinux subdir/makefile. I'll see if I can locate it again – Matt07211 Apr 12 '19 at 03:11
  • Found it, basically you set this to false I believe, it's Been a long time and I was a utterly clueless back then https://github.com/Matt07211/android_kernel_samsung_xcover3lte/blob/b920c232fd2d8246a66b4e2a0c8c5e536850025a/security/selinux/Makefile#L7 – Matt07211 Apr 12 '19 at 03:13
  • Thanks @Matt07211. – Marc.2377 Apr 12 '19 at 03:18
1

You need to open a local terminal shell, by using a "Terminal Emulator" like app. Otherwise you will not get an su'able shell. Since AOS 4.2.2, ADB is not letting you use "su", to get root shell, on stock "Enforced" SELinux devices.

Then do this:

su 0 setenforce 0

If you need to make this permanent to last between re-boots, you need to find where this is originally set in the various init.*.rc files in boot.img and change it, and reflash...

EDIT: 2015-09-22

The above trick no longer work on Stock devices using AOS 4.4.4 and above, even with insecure kernels. (Such as those provided by cf-autoroot.) That you can blame Google who made Enforcing permanent. Your only option, other than re-compiling your own ROM, is learning about SEAndroid and context changing using SuperSU's supolicy command to inject the policy files.

not2qubit
  • 847
  • 1
  • 12
  • 27
0

In Terminal emulator app, enter su and then enter setenforce 0. Now check the phone. It should show "permissive" until a reboot. You can execute the commands again after reboot or get SELinuxModeChanger from XDA which switches it automatically at boot.

Manu
  • 3,094
  • 7
  • 22
  • 40
user5281155
  • 1
  • 1