2

As I realized selinux for Android is more than tad bit different creature than what I can get done on Linux . I need SeLinux policy to be modified so I can bind mount my folders. Unless that happens I dont want to root my phone. The below was when I temp magisk rooted my Samsing M20 in permissive
Here are the issues I encountered trying to achieve the above.
-- AVC denials aren't logged into my Logcat. Why is that ? and should I be looking at some other file to get these. If they are disabled how can that be reversed. This is a Samsung Exynos Chipset.

    root@m20lte:/ # logcat -d | grep -i AVC
06-23 03:38:03.046  4392 19898 I OMXMaster: makeComponentInstance(OMX.Exynos.AVC.Encoder) in android.hardwar process
06-23 03:38:03.112 12145 12164 I ACodec  : [OMX.Exynos.AVC.Encoder] Now Loaded
06-23 03:38:03.128 12145 12164 I ACodec  : setupAVCEncoderParame

--- Can I just modify the Sepolicy file at or entire `kernel` needs to be `recompiled` 
/sys/fs/selinux/policy

. How many files need to change for a modfied custom SePolicy to be in effect

-- If changing Sepolicy isn't that simple & you need to recompile the Sepolicy in kernel. How do I go about doing that and before re-compile how do I test that it works for my goal


Here is what i did.

--- I pulled up the SePolicy which was in binary and ran it through sepolicy command on linux . No luck.

mnt/sda2 # sepolicy -P policy
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 692, in <module>
    args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'

-- before that obviously I tried a low hanging fruit given by this guide where I tried using bindfs with various userids and grouoids including the ones exemplied in the post but I still got errors. AVC errors not being logged I can figure our what caused these

Jason Reeves
  • 61
  • 6

1 Answers1

1

--- Can I just modify the Sepolicy file at or entire kernel needs to be recompiled

/sys/fs/selinux/policy

. How many files need to change for a modfied custom SePolicy to be in effect

First of all, if your device is rooted with Magisk, you can use Magisk's supolicy to add SELinux rules to your device.

If your device is not rooted with Magisk, it is still possible to 'simply' modify the sepolicy file to add new SELinux rules that will be loaded by init on startup of the device.

The file that you will have to modify to achieve this is /vendor/etc/selinux/precompiled_sepolicy (or /odm/etc/selinux/precompiled_sepolicy if it exists).

You can use tools such as sepolicy-inject to add your custom SELinux rules to the file.

Note that since the file is located on the /vendor partition, you will need to have read-write access to it. This can be achieved by remounting it if your device is rooted, or through recovery with a custom recovery image (such as TWRP).

Another option, if you do not need the policies to be permanent, is to directly load your policies with sepolicy-inject. Note that for this option, you need to have a rooted device, or have a SELinux context which would allow you to load policies (this would typically require you to add custom rules in the first place).

If you want more details on how the SELinux policies are loaded and how to modify them, take a look at this answer.

After that, all you need is to figure out which SELinux rules would be needed for your case, which you can find by grepping for avc errors in logcat. I am afraid however that I do not know right away why those avc errors are not showing in your logs.

Hope this helps!

Alhyoss
  • 41
  • 4