[FIX] Run Viper4Android in SELinux enforced mode

[ShadySquirrel]

Dear friends and OGPro users,

I got annoyed by running SELinux permissive for only one app - Viper4Android - so I've started searching for a way to allow it to run under Enforced mode. So far, I have found two ways:
1) changing ROM's sepolicy before building to allow exec permission for mediaserver (which looks like a bad idea),
2) adding live SELinux rule via init.d script

Second way looks a bit better for me, and someone at forums already made a fix, but it's working only if you have SuperSU installed because it needs SuperSU's supolicy binary.

Since lots of us don't use SuperSU, but instead use implemented superuser option, and since supolicy is closed source and only available in SuperSU package, I took some liberty and some of my free time to spend on lots of Google searches to find a way to implement this fix.

Requirements for this are:
- Lollipop ROM and kernel with init.d support
- working init.d
- good will to try it

Basically, this script flashes setools-android with sepolicy-inject binary and simple init.d script which is run at every boot and sets needed rules for mediaserver, allowing V4A to run under SELinux Enforced.

Flashable zip is available in the attachment. Tested and working on my device, running PAC 5.1.

setools-android and sepolicy-inject are open-source software, and credit for those projects goes to:
- xmikos @ github, for creating this tool bundle,
- pasis @ github, for originally porting setools,
- Joshua Brindle @ bitbucket, for creating sepolicy-inject

 

[onvsop]

Thanks! Great work!

Hi There, just wanted to say thanks for your great work, I had to edit the install script to allow it to install on my device (Samsung Galaxy Express GT-I8730 - Running CM-12.1). But it works perfectly! You should share this with the V4A Thread!
Thanks again!

 

[ShadySquirrel]

Hi There, just wanted to say thanks for your great work, I had to edit the install script to allow it to install on my device (Samsung Galaxy Express GT-I8730 - Running CM-12.1). But it works perfectly! You should share this with the V4A Thread!
Thanks again!

You're welcome I haven't tested it on other devices so I had to play safe. If it's working for you as it should, I'll fix installer script in few days

 

[jeevan_500]

hi

will this work on cm12.1

 

[ShadySquirrel]

will this work on cm12.1

It should work on any ROM/kernel combination with functional init.d or init.d simulation, like in Kernel Adiutor (just edit the updater-script and remove e980 lines if you're on different device)

 

[fmaher]

For changing SELinux to Permissive mode permanently, run the following commands through Terminal Emulator:

su
mount -o remount,rw /system
mkdir /system/su.d
echo "#!/system/bin/sh" > /system/su.d/permissive.sh
echo "setenforce 0" > /system/su.d/permissive.sh
echo "0" > /sys/fs/selinux/enforce
chmod 755 /system/su.d/permissive.sh

 

[ShadySquirrel]

For changing SELinux to Permissive mode permanently, run the following commands through Terminal Emulator:

su
mount -o remount,rw /system
mkdir /system/su.d
echo "#!/system/bin/sh" > /system/su.d/permissive.sh
echo "setenforce 0" > /system/su.d/permissive.sh
echo "0" > /sys/fs/selinux/enforce
chmod 755 /system/su.d/permissive.sh

Point of this zip is to allow only domains needed for V4A to run as permissive, not whole system. System is still running under enforced, just V4A gets access to tmpfs it needs to work properly.

 

[pittvandewitt]

Hi @ShadySquirrel,
I really like your found solution. I think it's way better than flashing supersu and all the v4a stuff to get it working. However it doesn't seem to work on Android 6. More information is on the screenshot attached. Is it easy to fix this by changing the support range from 15-29 to 15-30 or any other way?
Thanks in advance

 

[ShadySquirrel]

Hi @ShadySquirrel,
I really like your found solution. I think it's way better than flashing supersu and all the v4a stuff to get it working. However it doesn't seem to work on Android 6. More information is on the screenshot attached. Is it easy to fix this by changing the support range from 15-29 to 15-30 or any other way?
Thanks in advance

Marshmallow will have to wait until binaries I'm using there are fixed and get support for it, unfortunately... Since I'm not the author of binaries, I can't give you an ETA.

 

[pittvandewitt]

Marshmallow will have to wait until binaries I'm using there are fixed and get support for it, unfortunately... Since I'm not the author of binaries, I can't give you an ETA.

Yes I understand.. Well, let's wait and see. Thanks for the quick reply.

 

[calitiskirby@gmail.com]

do i need to reinstall this everytime i update rom?

 

[ShadySquirrel]

do i need to reinstall this everytime i update rom?

Yes.

P.S. This is not necessary for Slim.

 

[back2android]

Thanks worked great on lollipop.
I hope you will update the thread when you come up with the solution for marshmallow.
Regards.

 

[upalrahman]

For changing SELinux to Permissive mode permanently, run the following commands through Terminal Emulator:

su
mount -o remount,rw /system
mkdir /system/su.d
echo "#!/system/bin/sh" > /system/su.d/permissive.sh
echo "setenforce 0" > /system/su.d/permissive.sh
echo "0" > /sys/fs/selinux/enforce
chmod 755 /system/su.d/permissive.sh

Well I'm not sure what I have done wrong here... it revert backs to Enforcing mode everytime after reboot.
I am on CM 13

 

[OsniNO]

.

Can you make it compatible with Nougat?

 

[ShadySquirrel]

Can you make it compatible with Nougat?

No, sorry, I don't have any Nougat running devices to test (I'm still stuck on Lollipop), and I'm not even sure this method will work on N.

 

[OsniNO]

No, sorry, I don't have any Nougat running devices to test (I'm still stuck on Lollipop), and I'm not even sure this method will work on N.

It's maybe just an error in policydb supported version. When I try to run the script manually, i get message "policydb version 30 does not match my version range 15-29". I've attached a screenshot

 

[ShadySquirrel]

It's maybe just an error in policydb supported version. When I try to run the script manually, i get message "policydb version 30 does not match my version range 15-29". I've attached a screenshot

Yeah, 6+ uses newer sepolicy, I'm not sure tools I've used are supporting it yet. I know that SuperSU has it's own policy inject tool, so maybe you can try injecting rules with it and create an init.d script.

Really can't make it work with M/N, I don't have any devices to test