[MOD][P905] selinux permissive on stock kernel LTE QUALCOMM ONLY!

Search This thread
By:
Advanced…
M

mame82

Member
Oct 30, 2008
22
9
Hi esgie,

I'm using a SM-P605 with rooted Stock KK-Rom. To get rid of "Enforcing" I first tried to modify the default.prop and init.rc of the ramdisk
as stated http://xdaforums.com/showthread.php?t=2487089&page=10 by akshizzle. After reading yout Posts, I commented out the "/dev/mem" and "/dev/kmem" lines from "/file_contexts". After repacking and flashing the boot.img the changes are visible in "/file_contexts", but after running your kmem-script selinux stays on "enforce". I'm not sure if it has to do with the permission-problem on "/dev/kmem", because I don't see any errors (I'm no Linux geek).

The problem I have is mainly the same as on P905, there's no valid kernel-source published for the stock KK rom (P605XXUCNE2 by the way).

Maybe it's a problem with the other ramdisk-changes to init.rc / default.prop, which I didn't revert when editing /file_contexts. Or has there more to be done than commenting out the 2 lines.

With best regards

MaMe82
 
Last edited:
ziotom2

ziotom2

Senior Member
Jul 22, 2008
301
97
Milano
Samsung Galaxy S23 Ultra
mame82 said:
Hi esgie,

I'm using a SM-P605 with rooted Stock KK-Rom. To get rid of "Enforcing" I first tried to modify the default.prop and init.rc of the ramdisk
as stated http://xdaforums.com/showthread.php?t=2487089&page=10 by akshizzle. After reading yout Posts, I commented out the "/dev/mem" and "/dev/kmem" lines from "/file_contexts". After repacking and flashing the boot.img the changes are visible in "/file_contexts", but after running your kmem-script selinux stays on "enforce". I'm not sure if it has to do with the permission-problem on "/dev/kmem", because I don't see any errors (I'm no Linux geek).

The problem I have is mainly the same as on P905, there's no valid kernel-source published for the stock KK rom (P605XXUCNE2 by the way).

Maybe it's a problem with the other ramdisk-changes to init.rc / default.prop, which I didn't revert when editing /file_contexts. Or has there more to be done than commenting out the 2 lines.

With best regards

MaMe82
Click to expand...
Click to collapse
now is published on samsung open sources.

Inviato dal mio SM-P605 utilizzando Tapatalk
 
ziotom2

ziotom2

Senior Member
Jul 22, 2008
301
97
Milano
Samsung Galaxy S23 Ultra
mame82 said:
Stock P605XXUCNE2 Kernel, SELinux switchable ("setenforce 0" from Terminal or "SELinuxModeChanger" from play), NTFS enabled.

Set ro.securestorage.support from true to false in /system/build.prop and reboot,if wifi passwords don't get rembered.

Link: odin flashable tar only for sm-p605 on p605xxucne2
Click to expand...
Click to collapse

confirm permissive. it works perfectly compliments. I linked your thread from the note 10.1 stream.
 
S

shardsx

Senior Member
Apr 23, 2013
82
22
First of all, a big thank you goes out to Mame82 for compiling his SELinux permissive kernel.

I've tried to use esgie's SELinux permissive kernel before, and while I do confirm that kernel is SELinux permissive with that particular kernel, I was not able to install Linux using the "Linux Deploy" app from Google Play. The first step of the installation is updating the environment for Linux and it fails right away.

Can someone using Mame82's SELinux permissive kernel also try to install Linux through the "Linux Deploy" app and let me know how it goes? The reason for using Linux Deploy and not the other alternative Linux installers is that I want to try and use Linux in framebuffer mode.

Thanks.
 
M

mame82

Member
Oct 30, 2008
22
9
shardsx said:
First of all, a big thank you goes out to Mame82 for compiling his SELinux permissive kernel.

I've tried to use esgie's SELinux permissive kernel before, and while I do confirm that kernel is SELinux permissive with that particular kernel, I was not able to install Linux using the "Linux Deploy" app from Google Play. The first step of the installation is updating the environment for Linux and it fails right away.

Can someone using Mame82's SELinux permissive kernel also try to install Linux through the "Linux Deploy" app and let me know how it goes? The reason for using Linux Deploy and not the other alternative Linux installers is that I want to try and use Linux in framebuffer mode.

Thanks.
Click to expand...
Click to collapse

Hi shardsx,

please be careful with the kernel cause its a build for p605 and a bit misplaced in this thread. Anyway I gave Linux Deploy a try and ubuntu runs with success. The problem is, that I'm forced to use vnc, framebuffer is not working. Although /dev/graphics/fb0 is present, "cat /dev/graphics/fb0" gives no such device. I checked the compile options and fb support is checked, msm fb support (snapdragon), too. So anybody who could give a hint what to do here is welcome.

Thanks in advance
 
N

nadrojcote

Senior Member
Aug 5, 2011
176
24
Will this work on note4 n910w8? I am wanting to disable selinux without using a custom kernel.

Thanks
 
D

Demid65

New member
Sep 30, 2020
1
0
Seems like link for that file got corrupted. If anyone has a copy of it, can you please send it?
 
You must log in or register to reply here.

Similar threads

E
[P905 LTE ONLY!][KERNEL][ODIN] STOCK RELOADED | su | busybox | init.d | permissive !
Replies
41
Views
33K
G
gfmoore
B
[11/10][P900 Only][KERNEL] Custom kernel [Basic 1.0 | Pro 1.3]
Replies
115
Views
27K
V
V01DY
R
[P905M LTE and P905][KERNEL] STOCK compiled with SELinux setenfoce command enabled
Replies
21
Views
12K
erickwill
erickwill
E
[MOD][P905] enable init.d support for stock rom LTE QUALCOMM ONLY!
Replies
5
Views
6K
E
esgie
civato
[KERNEL][P900-KitKat]CivZ-P900-REV4.4[25/05/2015]
Replies
76
Views
24K
nrage23
nrage23

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 6
    E
    esgie
    At first, I am not liable for any harm or damage that may happen to your device!
    If you have su and didn't trigger knox, I CANNOT guarantee that running this script won't cause 0x1!

    Requirements:
    1) P905/viennalte/Qualcomm based model ONLY (won't work on Exynos devices. MIGHT work on other Qualcomm LTE deices from Note Pro and Tab Pro series or even S5 / Note 3 etc - feel free to repost but give credits AS THIS METHOD SEEMS TO BE COMPLETELY NEW! ) running 4.4.2 stock;
    2) root access with SuperSU (using cf-root - credits to chainfire);
    3) busybox installed (I do recommend this paid installer: https://play.google.com/store/apps/details?id=stericson.busybox.donate , MOST PROBABLY free version will be more than enough, too, but I haven't tested it as I have license...)
    4) Android Terminal Emulator installed ( free at: https://play.google.com/store/apps/details?id=jackpal.androidterm )

    Installation:
    1) download file permissive_via_kmem.sh using below link and put it in the root of internal memory (so it will be placed in: /sdcard/permissive_via_kmem.sh)
    2) run Android Terminal Emulator
    3) at command line, type:
    Code: 
    su -c /sdcard/permissive_via_kmem.sh
    (give it an access if requested)
    4) voila.

    Alternative: if u have init.d support just put the file in /system/etc/init.d to make permissive on every boot

    Additional info for advanced users:
    1) samsung decided to compile kernels for newer 4.4.2 roms with a flag (a kernel variable) forcing selinux enforcing mode
    2) as kernel itself cannot be modified after compiled, it was impossible to set permissive mode using shell or even by repacking kernel's ramdisk, at least on Qualcomm LTE devices
    3) custom kernel can do the job, but samsung's sources are broken, at least for P905, and it refuses to boot at all...
    4) however, there is a workaround...
    5) we cannot change kernel binary to run with different flag out of the box BUT we can obtain it's placement (address) directly in kernel memory space on running kernel and write different value DIRECTLY into the memory, hacking the kernel to make it think that the flag was different
    6) for this purpose i believe we have to disable restrictions to access kernel pointers (done via sysctl)...
    7) ...then read the output of /proc/kallsyms which will provide a list of all kernel variables along with their addresses in kernel memory space...
    8) ...filter out a boolean variable selinux_enforcing which is responsible for all the troubles...
    9) ...and write raw 00 byte into the address where the variable value is stored, via /dev/kmem.

    Download:
    http://www12.zippyshare.com/v/89625246/file.html
    View
    4
    M
    mame82
    Stock P605XXUCNE2 Kernel, SELinux switchable ("setenforce 0" from Terminal or "SELinuxModeChanger" from play), NTFS enabled.

    Set ro.securestorage.support from true to false in /system/build.prop and reboot,if wifi passwords don't get rembered.

    Link: odin flashable tar only for sm-p605 on p605xxucne2
    View
    1
    E
    esgie
    Well, if i'd try to express it in a simple way, from the user's point of view permissive mode is equal to selinux turned off at all, except it is logging (and only logging...) all the warnings caused by security violations, which would result in an error in enforcing mode. Permissive mode let you avoid strict security policies defined by manufacturer (and NSA - yeah, the real spies - which is maintaining general selinux rules), but also gives the possibility of establishing possible issues which may appear after switching to "really secure" enforcing mode.

    And if you are asking about the exact, disturbing (ofc if security is not your main priority...) effects of enforcing mode that may affect end-users, we may start from: troubles with write-access to some (mostly external, but i have personally fought with with an issue of non-writeable internal sdcard, too) medias (well, to be honest, I do hope that my discover will help in building 100% working custom recovery...), troubles with non-working system mods resulting from bad selinux file labels, troubles with wiping partitions (ie. wiping cache or even swapping modded system lib sometimes has to be followed by triggering restorecon command on that filesystem (restore selinux context), which is leading to ie. losing root access, which may be fixed by flashing supersu again, etc etc, non working apps (especially related to modifying sensitive system parameters or resources), unchangeable system properties, unreachable functionalities, blah blah blah.... This topic had been widely discussed on xda and over the internet.

    On the contrary, if you like to use your device as-is and you're not interested in modding/tweaking it, you will probably not need this mod, as you will gain nothing - but lose a little bit of security... For heavy modders, although, it's a must-have.

    Btw can anyone confirm if it's working? I assume that I was looking for solution for some time, made some other changes to the environment meanwhile, so I cannot be 100% sure that above script alone is absolutely enough (but in theory it should...), however, even if it is not, it's just a matter of 1-2 days to figure out what additional, previously-well-known steps, such as running "setenforce 0", may be required in addition.

    And as a brief summary: YES, my selinux is now really Permissive, both when running getenforce command and in system settings!

    Wysłane z mojego SM-P905 przy użyciu Tapatalka
    View
    1
    R
    RaSand
    As requested
    Output:
    /dev/kmem cannot open for write: permission denied

    getenforce still returns Enforcing

    u0_a286@viennalte:/ $ cd /dev
    u0_a286@viennalte:/dev $ ls *mem*
    ashmem
    kmem: Permission denied
    mem: Permission denied
    ramdump_audio-ocmem
    ramdump_smem
    smem_log
    1|u0_a286@viennalte:/dev $

    Same result in # mode
    View
    1
    R
    RaSand
    u0_a286@viennalte:/ $ su
    root@viennalte:/ # ls -lZ /dev/kmem >/sdcard/info.txt
    /dev/kmem: Permission denied
    1|root@viennalte:/ #

    info.txt is empty


    chcon: Could not label /dev/kmem with u:eek:bject_r:device:s0: Permission denied
    2|root@viennalte:/ #

    waiting for code for 3)

    same result in step 2 with added remount

    ---------- Post added at 04:55 PM ---------- Previous post was at 04:30 PM ----------

    It swallowed all commands in 3) BUT re running the script didn't change anything. After please wait.... done it still says selinux is set to Enforcing. Sorry.
    getenforce returns enforcing
    setenforce to 0 or Permissive doesn't change a bit.
    seems it has to be done the hard way

    better luck next time
    View

New posts