Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,736,958 Members 52,604 Now Online
XDA Developers Android and Mobile Development Forum

SEAndroid in Enforce-Mode

Tip us?
 
druidster
Old
(Last edited by druidster; 5th July 2014 at 02:47 AM.)
#1  
Junior Member - OP
Thanks Meter 0
Posts: 2
Join Date: Jul 2014
Default SEAndroid in Enforce-Mode

Hi there,

I just got a Galaxy Note Pro 12.2 LTE with Snapdragon, and as this is my third Android device I rooted it with Towelroot (had to use the string for 'new Samsung' from Geohot's page). So after rooting it I installed all the apps I am used to, but I have a problem with Orbot (Tor Proxy). Regardless if setup to provide a socks proxy or transparently proxy the traffic from apps or everything, it wouldn't start binding to the local control port.

After finding out that SEAndroid has been incorporated from google into Android and finding more stuff that doesn't work (like mounting a NFS share from my home server to the tablet) I start to think that maybe the Orbot problem is related to the kernel on the tablet in enforcing mode. I tried evrything I could find here and elesewhere to set it to permissive, no way to do it... (other than flashing a custom kernel where this is disabled...) As far a I get it, we should be able to switch modes by several commands, like setenforce Permissive or echoing 1 or 0 somewhere to the SELinuxFS. All this doesnt work, as we have root access but I guess we are in the wrong context or this has been blocked otherwise.

On the internet I found a lot of resources about management tools for SEAndroid, like 'setool' and 'SEAndroidmanage'. These are not on the Tablet as far as I can see, maybe we have a chance of getting into permissive mode somehow if we only had those tools to work with the policy. Fort example there is a mapping between Linux-users und SEAndroid-users which can be listed using setool. Maybe we can extract important info that way and find a way to permissive mode. Does anyone have those tools or is the only way to get them to compile AOSP from source with options like buildtype 'eng' which also creates additional debugging tools ?? Maybe someone can tell me, I was already gonna setup Ubuntu 14.04 in a VM to build the actual sources.

There must be a way somehow to do this without flashing unsigned kernels or create new ramdisk which also taint the device, which hasn't happened to mine up to now. It's very frustrating I can't even mount NFS shares, regardless of options I tried. So, does anyone know if this could workout or is it a waste of time ??



Druidster
 
Spere
Old
#2  
Senior Member
Thanks Meter 48
Posts: 192
Join Date: Aug 2013
How about this?
 
canezila
Old
#3  
canezila's Avatar
Senior Member
Thanks Meter 19
Posts: 135
Join Date: Nov 2010
Location: Orlando
http://graemehill.ca/turning-a-galax...-linux-laptop/

He made a kernel that gives you permissive. Didn't work for me. Make sure to backup before trying.

---------- Post added at 04:58 PM ---------- Previous post was at 04:55 PM ----------

** just read about you not wanting to flash unsigned kernels. Maybe it won't work for you.... Not sure about signed kernels but guessing that means total stock?
 
druidster
Old
#4  
Junior Member - OP
Thanks Meter 0
Posts: 2
Join Date: Jul 2014
Hi,

I do have the device for 10 days now, so up to now it's still KNOX 0x0.
I have just started to read into this SELinux stuff and I thought it could help somehow to have the possibility of using the tools usually used to create or list policies and do other stuff. I wonder if they would work or if the tablet has been so locked down by samsung, that there is no possibility to change anything on this.

While reading about SELinux I found out that you can also create policies for network ports, maybe that what is needed to make Orbot run without error when binding to a local port. So, I guess if I get more pissed at something not working on the stock image I will flash a custom kernel.
 
canezila
Old
#5  
canezila's Avatar
Senior Member
Thanks Meter 19
Posts: 135
Join Date: Nov 2010
Location: Orlando
Just to clarify, I got the kernel to install. Now the kernel permission can be changed.

Sent from my SM-P900 using Tapatalk
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes