Android Customizing SePolicy

From Variscite Wiki
Android - Customizing SELinux Policy


SELinux is the Security Enhanced Linux concept to enhance the Android Security and have the controlled access to the files.
Please refer to for more detailed concepts.

Bringup Stages and SELinux Permissive

Despite SELinux enforcement from Android 7.1.1 and onwards, you may want to access certain device nodes / have the application to be able to control the hardware.
We recommend building the proper sepolicy by following
This requires SELinux to be set to permissive mode.
Refer to how to validate and remove the proper filecontext and Sepolicy in place.
You will mostly see below output when avc daemon blocks access to certain files especially applications.

$ adb shell su root dmesg | grep 'avc: '
type=1400 audit: avc:  denied  { read write } for  pid=177

SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:

$ adb shell setenforce 0

Or at the kernel command line (during early device bring-up):


Setting the permission in Boot image

Edit U-Boot command line arguments Change following macro

	"bootargs=" \

And append "androidboot.selinux=permissive\0" to the kernel

	"bootargs=" \

Compile U-Boot

Compile the new U-Boot

$ cd ~/var_n_711_100/n_711_100_build
$ source build/
$ lunch -userdebug
$ make -j4 bootloader 2>&1 | tee build1-1.log

There are two methods from which you can update bootloader, Flash the binaries following Android Recovery SD card and replacing your binaries in /opt/images/Android/
Boot from Yocto, and run

  • Note: This erases everything and installs everything

If you wish to just update u-boot, and your platform already has the bootloader and adb running use below commands to flash directly to eMMC.

$ cd ~/var_n_711_100/n_711_100_build
$ adb root;sleep 3;
$ adb push out/target/product//u-boot.img-sd /data/
$ adb shell 'dd if=/data/u-boot.img-sd of=/dev/block/mmcblk0 bs=1k seek= conv=notrunc'
$ adb shell sync
$ adb reboot