SELinux on Custom ROMs
SELinux (Security-Enhanced Linux) is Android's mandatory access control system. Understanding it helps troubleshoot and develop ROMs.
What is SELinux?
SELinux controls which processes can access which resources:
- Files
- Sockets
- Devices
- Properties
Even root is restricted by SELinux policies.
Modes
Enforcing
Normal operation
Denials cause failures
Security fully active
Required for production
Permissive
Denials only logged, not enforced
Allows everything
Used for debugging
Not safe for daily use
Check Mode
getenforce
# Returns: Enforcing or Permissive
SELinux and Custom ROMs
Why Policies Break
When porting ROMs:
- New processes need new policies
- Vendor changes break policies
- Different contexts needed
Symptoms of Policy Issues
- Features don't work (even with root)
- AVC denials in logcat
- Mysterious silent failures
Debugging SELinux
Finding Denials
adb logcat | grep -i avc
# or
adb logcat | grep -i denied
Example Denial
avc: denied { read } for name="file"
dev="sda1" ino=123
scontext=u:r:untrusted_app:s0
tcontext=u:object_r:vendor_file:s0
tclass=file permissive=0
Quick Test: Permissive Mode
Temporarily for debugging only:
su
setenforce 0
# Test if issue was SELinux
setenforce 1
If permissive fixes the issue, you need policy updates.
Proper Fix: Policy Updates
Instead of permissive mode, add proper policies:
# In device/vendor/codename/sepolicy/
# Allow rule example
allow domain file_type:file read;
Requires knowledge of SELinux policy language.
For ROM Users
What to Know
- Keep SELinux enforcing (security)
- Permissive ROMs are security risk
- "SELinux permissive" in ROM = avoid for daily use
When Something Doesn't Work
Check if SELinux is the cause:
adb logcat | grep denied
Report to ROM developer with denial logs.
SELinux is complex but essential for Android security. Learn the basics to understand what's happening under the hood.
Keywords: selinux android, selinux custom rom, android security, selinux permissive, selinux policy