Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

SEAndroid in Enforce-Mode

OP druidster

5th July 2014, 03:40 AM   |  #1  
OP Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Jul 2014
More
Hi there,

I just got a Galaxy Note Pro 12.2 LTE with Snapdragon, and as this is my third Android device I rooted it with Towelroot (had to use the string for 'new Samsung' from Geohot's page). So after rooting it I installed all the apps I am used to, but I have a problem with Orbot (Tor Proxy). Regardless if setup to provide a socks proxy or transparently proxy the traffic from apps or everything, it wouldn't start binding to the local control port.

After finding out that SEAndroid has been incorporated from google into Android and finding more stuff that doesn't work (like mounting a NFS share from my home server to the tablet) I start to think that maybe the Orbot problem is related to the kernel on the tablet in enforcing mode. I tried evrything I could find here and elesewhere to set it to permissive, no way to do it... (other than flashing a custom kernel where this is disabled...) As far a I get it, we should be able to switch modes by several commands, like setenforce Permissive or echoing 1 or 0 somewhere to the SELinuxFS. All this doesnt work, as we have root access but I guess we are in the wrong context or this has been blocked otherwise.

On the internet I found a lot of resources about management tools for SEAndroid, like 'setool' and 'SEAndroidmanage'. These are not on the Tablet as far as I can see, maybe we have a chance of getting into permissive mode somehow if we only had those tools to work with the policy. Fort example there is a mapping between Linux-users und SEAndroid-users which can be listed using setool. Maybe we can extract important info that way and find a way to permissive mode. Does anyone have those tools or is the only way to get them to compile AOSP from source with options like buildtype 'eng' which also creates additional debugging tools ?? Maybe someone can tell me, I was already gonna setup Ubuntu 14.04 in a VM to build the actual sources.

There must be a way somehow to do this without flashing unsigned kernels or create new ramdisk which also taint the device, which hasn't happened to mine up to now. It's very frustrating I can't even mount NFS shares, regardless of options I tried. So, does anyone know if this could workout or is it a waste of time ??



Druidster
Last edited by druidster; 5th July 2014 at 03:47 AM.
5th July 2014, 08:58 AM   |  #2  
Senior Member
Thanks Meter: 87
 
304 posts
Join Date:Joined: Aug 2013
More
How about this?
5th July 2014, 05:58 PM   |  #3  
Senior Member
Flag Orlando
Thanks Meter: 22
 
155 posts
Join Date:Joined: Nov 2010
http://graemehill.ca/turning-a-galax...-linux-laptop/

He made a kernel that gives you permissive. Didn't work for me. Make sure to backup before trying.

---------- Post added at 04:58 PM ---------- Previous post was at 04:55 PM ----------

** just read about you not wanting to flash unsigned kernels. Maybe it won't work for you.... Not sure about signed kernels but guessing that means total stock?
6th July 2014, 01:42 AM   |  #4  
OP Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Jul 2014
More
Hi,

I do have the device for 10 days now, so up to now it's still KNOX 0x0.
I have just started to read into this SELinux stuff and I thought it could help somehow to have the possibility of using the tools usually used to create or list policies and do other stuff. I wonder if they would work or if the tablet has been so locked down by samsung, that there is no possibility to change anything on this.

While reading about SELinux I found out that you can also create policies for network ports, maybe that what is needed to make Orbot run without error when binding to a local port. So, I guess if I get more pissed at something not working on the stock image I will flash a custom kernel.
10th July 2014, 02:31 AM   |  #5  
Senior Member
Flag Orlando
Thanks Meter: 22
 
155 posts
Join Date:Joined: Nov 2010
Just to clarify, I got the kernel to install. Now the kernel permission can be changed.

Sent from my SM-P900 using Tapatalk
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes