How to Completely Disable Selinux in Android L in the Init.Rc File

How to completely disable SELinux in Android L in the init.rc file?

After

setenforce 0

the enforce attribute will be Permissive imeddiately.

How to completely disable selinux policy check while building AOSP?

Don't set BOARD_SEPOLICY_DIRS in your device config. So your private sepolicy will not be compiled.

Disabling SELinux in Android 5.0.1

There are two ways that enforcing mode is set. On user builds, it will always be in enforcing. On eng or userdebug, you can control it. You can control it in the standard selinux way, by setting enforcing=1/0 on the kernel command line as outlined in Dan Walsh's blog:

http://danwalsh.livejournal.com/10972.html

The Android centric way is to set the kernel command line to androidboot.selinux=permissive

You can control the kernel command line by editing your BoardConfig.mk and adding this:

BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive

The Android centric way is enforced by init, if you look in system/core/init/init.cpp look at the selinux_initialize() routine that is called from main().

How to set SELinux to 0 or permissive mode in android 4.4.4 and above?

Apparently Google has removed the CONFIG_SECURITY_SELINUX_DEVELOP kernel flag from many of their Stock kernels. Thus the standard trick mentioned by William (below) probably doesn't work. An example of these devices is the Samsung Note 4 (SM-N910F) running AOS 4.4.4.

The link above states:

CONFIG_SECURITY_SELINUX_DEVELOP aka global permissive mode, is useful for
when you are first developing device-specific policy for a board (add
'androidboot.selinux=permissive' to BOARD_KERNEL_CMDLINE). It also
permits transient setenforce 0 in -userdebug or -eng builds, which can
be helpful for developers.

If the bootloader is locked, then you can't modify the kernel cmdline

"Also, the code in the init program for processing the
androidboot.selinux= option is only compiled in -userdebug and -eng builds, so even aside from bootloader locking, you cannot use
androidboot.selinux=permissive on a -user build."

The way to check what build type you have is:

$ getprop ro.build.type
user

Modifying init.rc to add my own android native service

This cannot be done from shell. init.rc is part of ramdisk and not system partition. So at bootup, the init.rc picked up will be from ramdisk. So whatever changes you do to init.rc will not get reflected.

AFAIK Only way is to build the ROM and reflash

Check this post, it is related, might help

Execute a daemon in Android init.rc

I got the same issue with nexus 9. I added code to device/htc/flounder/init.flounder.rc but doesnt work.

service pollingclient /system/bin/sh logwrapper
    class late_start
    user root
    group root
    oneshot

on property:dev.bootcomplete=1
    start pollingclient

My quick fix is added code to start my daemon in system/core/adb/adb_auth_client.c after fdevent_add(&t->auth_fde, FDE_READ);

kill_if_exist_service("mydaemon");
system("sleep 5; mydaemon");

It works but its some kind of "quick fix". I am still investigating right solution.

update:
I disable selinux by edit ./arch/arm64/configs/flounder_defconfig set CONFIG_SECURITY_SELINUX=n then recompile kernel and recompile boot.img. Wow, it works!

---

Related Topics