Saturday, May 16, 2015

security - How to troubleshoot SELinux issues?


On standard GNU/Linux computers, SELinux comes with a set of tools allowing the administrator to troubleshoot permission issues.



Such tools allow to:



  • Temporarily switch a single domain in permissive mode, thus reducing the security impact on the whole device compared to a global permissive mode (and yes, per-domain permissive mode is supported in Android's SELinux): semanage

  • List existing SELinux users, roles and categories (AFAIK categories are used for multi-users devices): semanage, seinfo, chcat

  • Query the SELinux policy: sesearch


I did not find any of these tools in my device.


Is there any equivalent or a way to install them?



Answer



As I feared, Google is against letting people tweak SELinux. This is stated explicitely in the Android Compatibility Definition Document:




SELinux or any other security features implemented below the Android framework:




  • [...]




  • SHOULD NOT be user or developer configurable.






However, the good news is that there is indeed a FOSS project porting SELinux tools to Android: setools-android. This tools ports the usual seinfo and sesearch commands as can be found in the upstream SELinux Tools project, but it also adds the sepolicy-inject command which allows to modify the current policy or set a domain in permissive mode.


This however suffer from a big issue: unlike on standard computers, modifications made to the /sepolicy file which stores SELinux policy are not persistent and will be lost upon device restart.


In fact, this file as part of the root directory is stored in a RAM disk image which, in turn, is stored in the device's boot image and extracted during the device's boot sequence. To apply permanent modification to this file it is therefore necessary to modify the version stored within the device's boot image.


While the operation may still be possible from the device itself (as far as I know SuperSU for instance updates the boot image as part of its installation procedure), for my use-case I find it more convenient to do the operation from an external computer connected to the phone (here is my detailed procedure). Tools running on the device still remain useful though when frequent checks and updates of the SELinux policy are required (typically during development stages) and for automation (if a project needs a SuperSU-like installer for instance).


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...