• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[ROM][SM-T350][UNOFFICIAL][crDroidAndroid-10.0][v6.17][ANDROID 10] Galaxy Tab A 8.0

Search This thread
Jan 5, 2021
25
4
You might have devices with those roms are more popular but really there all just about the exact same thing. What can you do with evolution x or havoc that you can't do with crdroid? The real challenge would be porting one ui 3.1 but this tablet would die there just no way. Lineage 18.1 is pretty good to actually almost as good as one ui 3.1 I have a s10 lite and it was a hard call. Oneui 3.1 has fac3 unlock and the samsung camera which I don't care what people say it's way better than the mod gcams the photos are 48mp vs 12mp
Thanks😊
 
Hey, found that trying to set selinux to enforcing crashes... Something. Not sure if it's the system UI or the system. I was trying to use ps remote play, and it wasn't working (detected root), and somewhere I read it needed selinux to be enforcing, so I ran setenforce 1, and everything went black. Magisk is supposed to hide that, but for some reason it seems not to be able to. I will grab a logcat next time I am have the chance.
 
Last edited:

retiredtab

Senior Member
Nov 16, 2017
780
321
I'm building the Nexus 9 15.1 rom for myself and others to use. It has selinux enforcing enabled. See policies at


Now compare that to what the msm8916 repo has


and they know about


zakaryan2004 commented on 9 Aug 2020

We know and it's intended. It will be enforcing later
 
When you set selinux to enforcing, every rule must be in place otherwise functionality of OS/apps will fail.
Would there be any way to have no rules and just have the kernel display it as enforcing, just to get certian apps to work? (maybe releasing that and not letting people know would be a bad idea, for actual security reasons 😂)
 
Last edited:

retiredtab

Senior Member
Nov 16, 2017
780
321
Would there be any way to have no rules and just have the kernel display it as enforcing, just to get certian apps to work? (maybe releasing that and not letting people know would be a bad idea, for actual security reasons 😂)
I'm not an expert, but I don't think there is a way to have no rules and selinux enforcing. Of course, you could have possibly have one rule or rules that says allow everything and turn on selinux enforcing.

That would be the equivalent of a firewall rule allowing everything into your home router.

I only use my devices whether I built the rom or not with throwaway email addresses/identites. I don't login to anything, never use banking apps and in 2021 moving away from all things google or big tech related.

If someone steals my device or it's compromised due to the security vulnerabilities, it's not a big deal as there's nothing to connect me to anything important.

BTW, the kernel which the Samsung Tab A/E uses hasn't been updated in 3.5 years as per


Not to mention all the proprietary blobs that exist in the device with possible security vulnerabilities.

So yes, having selinux enforcing is important, but keep in mind the bigger picture above.

And yes, there are tools which will generate the selinux rules by reading the adb logcat, but do you blindly trust that tool and simply grant everything it recommends?
 
  • Like
Reactions: lividhen

retiredtab

Senior Member
Nov 16, 2017
780
321
Here's the list of all the proprietary files from the msm8916 repo.


I would be worried about all the proprietary blobs that have external functionality like bluetooth, lte and wifi which could be compromised because they have no possibility of being updated.
 
Here's the list of all the proprietary files from the msm8916 repo.


I would be worried about all the proprietary blobs that have external functionality like bluetooth, lte and wifi which could be compromised because they have no possibility of being updated.
I would attempt to implement this, but currently the device trees on nubianprince's github are unable to build because there are files missing (I assume he is refactoring everything, or atleast that is what the commits look like).
 
If you are talking about writing selinux policies, here are 2 tools that I investigated.

1. adb pull /sys/fs/selinux/policy && adb logcat -b all -d | audit2allow -p policy

2. https://github.com/SebaUbuntu/selinux-denial-fixer
the difficult part with selinux enforcing is getting the sepolicy done right if you remove androidboot.selinux=permissive this is most likely result in the ROM not booting
I've done a small bit of research. Google recommends working in permissive mode until you at least have all the permissions for the files to boot the OS set up. 1 because indefinatly bootlooping is no fun, and 2 because denials get suppressed in the log with it enforcing. I think this is a very good idea 😂. Retiredtab, I had seen audit2allow on the android docs, and it looks very useful in assisting with what needs to access what, but could not get it to work because of the currently not working device trees 😆. I should just go figure out how roll back commits and exclude it from syncing for now. I have not seen selinux-denial-fixer, I will have to check it out! Thank you!
 

retiredtab

Senior Member
Nov 16, 2017
780
321
This is a great find saved me A LOT of time, i was doing this fixes manually, with this i was able to make the selinux denial fixes in no time
More info here.


Just remember the caveat about blindly granting everything the tool suggests as per (from above URL)

=== snip ===
Nevertheless, care must be taken to examine each potential addition for overreaching permissions. For example, feeding audit2allow the rmt_storage denial shown earlier results in the following suggested SELinux policy statement:

Code:
#============= shell ==============
allow shell kernel:security setenforce;
#============= rmt ==============
allow rmt kmem_device:chr_file { read write };

This would grant rmt the ability to write kernel memory, a glaring security hole. Often the audit2allow statements are only a starting point.
=== end snip ===
 
More info here.


Just remember the caveat about blindly granting everything the tool suggests as per (from above URL)

=== snip ===
Nevertheless, care must be taken to examine each potential addition for overreaching permissions. For example, feeding audit2allow the rmt_storage denial shown earlier results in the following suggested SELinux policy statement:

Code:
#============= shell ==============
allow shell kernel:security setenforce;
#============= rmt ==============
allow rmt kmem_device:chr_file { read write };

This would grant rmt the ability to write kernel memory, a glaring security hole. Often the audit2allow statements are only a starting point.
=== end snip ===
i've been reading these the past few weeks, the goal is to try selinux enforcing to work, ive spent most of the week woking on getting HW encryption to work and I think I got that working
 

Nomad3512

Member
Apr 15, 2021
9
0
While I have used custom ROMs before I am really very inexperienced at this.

I have a T350 that I rooted and installed TWRP_3.5.0_9_SM-T350_Unofficial that I got from this forum.

I then tried to flash crDroidAndroid-10.0-20210411-gt58wifi-v6.16.zip. When I rebooted after TWRP finished the crDroid logo came up and never went away. I let it run overnight just to see what might happen.

I was able to get back into TWRP (first had to go to download mode) and then tried to flash crDroidAndroid-9.0-20200125-gt58wifi-v5.11.zip. I have the same issue albeit the logo was now in color.

Since I can get to download mode with a bit of playing I can reflash the stock 7.1.1 and go through rooting again, but I'd rather not if possible.

Does anyone have some suggestions that I could try before I go back to stock?
 

Top Liked Posts