[ROM][SM-T350][UNOFFICIAL][crDroidAndroid-10.0][v6.17][ANDROID 10] Galaxy Tab A 8.0
- Thread starter nubianprince
- Start date
lividhen
Senior Member
Hey, found that trying to set selinux to enforcing crashes... Something. Not sure if it's the system UI or the system. I was trying to use ps remote play, and it wasn't working (detected root), and somewhere I read it needed selinux to be enforcing, so I ran setenforce 1, and everything went black. Magisk is supposed to hide that, but for some reason it seems not to be able to. I will grab a logcat next time I am have the chance.
Last edited:
When you set selinux to enforcing, every rule must be in place otherwise functionality of OS/apps will fail.
I'm building the Nexus 9 15.1 rom for myself and others to use. It has selinux enforcing enabled. See policies at
github.com
Now compare that to what the msm8916 repo has
github.com
and they know about
github.com
android_device_htc_flounder/sepolicy at lineage-15.1 · LineageOS/android_device_htc_flounder
Contribute to LineageOS/android_device_htc_flounder development by creating an account on GitHub.
github.com
Now compare that to what the msm8916 repo has
android_device_samsung_msm8916-common/sepolicy_tmp at lineage-17.1 · Galaxy-MSM8916/android_device_samsung_msm8916-common
Common MSM8916 tree for Samsung devices. Contribute to Galaxy-MSM8916/android_device_samsung_msm8916-common development by creating an account on GitHub.
github.com
and they know about
SELinux is Disabled By Default · Issue #44 · Galaxy-MSM8916/android_device_samsung_msm8916-common
please turn selinux on by default in msm8916
github.com
zakaryan2004 commented on 9 Aug 2020
| We know and it's intended. It will be enforcing later |
lividhen
Senior Member
Would there be any way to have no rules and just have the kernel display it as enforcing, just to get certian apps to work? (maybe releasing that and not letting people know would be a bad idea, for actual security reasons
)
Last edited:
I'm not an expert, but I don't think there is a way to have no rules and selinux enforcing. Of course, you could have possibly have one rule or rules that says allow everything and turn on selinux enforcing.Would there be any way to have no rules and just have the kernel display it as enforcing, just to get certian apps to work? (maybe releasing that and not letting people know would be a bad idea, for actual security reasons
That would be the equivalent of a firewall rule allowing everything into your home router.
I only use my devices whether I built the rom or not with throwaway email addresses/identites. I don't login to anything, never use banking apps and in 2021 moving away from all things google or big tech related.
If someone steals my device or it's compromised due to the security vulnerabilities, it's not a big deal as there's nothing to connect me to anything important.
BTW, the kernel which the Samsung Tab A/E uses hasn't been updated in 3.5 years as per
Look back to an end-of-life LTS kernel : 3.10
The end of the 3.10 branch is a good opportunity to have a look back at how that worked, and to remind some important rules regarding how to...
wtarreau.blogspot.com
Not to mention all the proprietary blobs that exist in the device with possible security vulnerabilities.
So yes, having selinux enforcing is important, but keep in mind the bigger picture above.
And yes, there are tools which will generate the selinux rules by reading the adb logcat, but do you blindly trust that tool and simply grant everything it recommends?
Here's the list of all the proprietary files from the msm8916 repo.
github.com
I would be worried about all the proprietary blobs that have external functionality like bluetooth, lte and wifi which could be compromised because they have no possibility of being updated.
android_device_samsung_msm8916-common/proprietary-files.txt at lineage-17.1 · Galaxy-MSM8916/android_device_samsung_msm8916-common
Common MSM8916 tree for Samsung devices. Contribute to Galaxy-MSM8916/android_device_samsung_msm8916-common development by creating an account on GitHub.
github.com
I would be worried about all the proprietary blobs that have external functionality like bluetooth, lte and wifi which could be compromised because they have no possibility of being updated.
lividhen
Senior Member
I would attempt to implement this, but currently the device trees on nubianprince's github are unable to build because there are files missing (I assume he is refactoring everything, or atleast that is what the commits look like).Here's the list of all the proprietary files from the msm8916 repo.
android_device_samsung_msm8916-common/proprietary-files.txt at lineage-17.1 · Galaxy-MSM8916/android_device_samsung_msm8916-common
Common MSM8916 tree for Samsung devices. Contribute to Galaxy-MSM8916/android_device_samsung_msm8916-common development by creating an account on GitHub.
I would be worried about all the proprietary blobs that have external functionality like bluetooth, lte and wifi which could be compromised because they have no possibility of being updated.
If you are talking about writing selinux policies, here are 2 tools that I investigated.
1. adb pull /sys/fs/selinux/policy && adb logcat -b all -d | audit2allow -p policy
2. https://github.com/SebaUbuntu/selinux-denial-fixer
the difficult part with selinux enforcing is getting the sepolicy done right if you remove androidboot.selinux=permissive this is most likely result in the ROM not booting
lividhen
Senior Member
I've done a small bit of research. Google recommends working in permissive mode until you at least have all the permissions for the files to boot the OS set up. 1 because indefinatly bootlooping is no fun, and 2 because denials get suppressed in the log with it enforcing. I think this is a very good idea
. Retiredtab, I had seen audit2allow on the android docs, and it looks very useful in assisting with what needs to access what, but could not get it to work because of the currently not working device trees 
. I should just go figure out how roll back commits and exclude it from syncing for now. I have not seen selinux-denial-fixer, I will have to check it out! Thank you!If you are using nubianprince's repo and trying to build Android 10, there shouldn't be a problem since there are no recent commits. If you are trying to build 11, that's a different story since there's constant changes made by him.but could not get it to work because of the currently not working device trees
This is a great find saved me A LOT of time, i was doing this fixes manually, with this i was able to make the selinux denial fixes in no time
More info here.
Validating SELinux | Android Open Source Project
source.android.com
Just remember the caveat about blindly granting everything the tool suggests as per (from above URL)
=== snip ===
Nevertheless, care must be taken to examine each potential addition for overreaching permissions. For example, feeding audit2allow the rmt_storage denial shown earlier results in the following suggested SELinux policy statement:
Code:
#============= shell ==============
allow shell kernel:security setenforce;
#============= rmt ==============
allow rmt kmem_device:chr_file { read write };This would grant rmt the ability to write kernel memory, a glaring security hole. Often the audit2allow statements are only a starting point.
=== end snip ===
i've been reading these the past few weeks, the goal is to try selinux enforcing to work, ive spent most of the week woking on getting HW encryption to work and I think I got that workingMore info here.
Validating SELinux | Android Open Source Project
Just remember the caveat about blindly granting everything the tool suggests as per (from above URL)
=== snip ===
Nevertheless, care must be taken to examine each potential addition for overreaching permissions. For example, feeding audit2allow the rmt_storage denial shown earlier results in the following suggested SELinux policy statement:
Code:#============= shell ============== allow shell kernel:security setenforce; #============= rmt ============== allow rmt kmem_device:chr_file { read write };
This would grant rmt the ability to write kernel memory, a glaring security hole. Often the audit2allow statements are only a starting point.
=== end snip ===
I just haven't had much time to work on any new builds, will work on one this wekend
While I have used custom ROMs before I am really very inexperienced at this.
I have a T350 that I rooted and installed TWRP_3.5.0_9_SM-T350_Unofficial that I got from this forum.
I then tried to flash crDroidAndroid-10.0-20210411-gt58wifi-v6.16.zip. When I rebooted after TWRP finished the crDroid logo came up and never went away. I let it run overnight just to see what might happen.
I was able to get back into TWRP (first had to go to download mode) and then tried to flash crDroidAndroid-9.0-20200125-gt58wifi-v5.11.zip. I have the same issue albeit the logo was now in color.
Since I can get to download mode with a bit of playing I can reflash the stock 7.1.1 and go through rooting again, but I'd rather not if possible.
Does anyone have some suggestions that I could try before I go back to stock?
I have a T350 that I rooted and installed TWRP_3.5.0_9_SM-T350_Unofficial that I got from this forum.
I then tried to flash crDroidAndroid-10.0-20210411-gt58wifi-v6.16.zip. When I rebooted after TWRP finished the crDroid logo came up and never went away. I let it run overnight just to see what might happen.
I was able to get back into TWRP (first had to go to download mode) and then tried to flash crDroidAndroid-9.0-20200125-gt58wifi-v5.11.zip. I have the same issue albeit the logo was now in color.
Since I can get to download mode with a bit of playing I can reflash the stock 7.1.1 and go through rooting again, but I'd rather not if possible.
Does anyone have some suggestions that I could try before I go back to stock?
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
3
>> crDroid Features <<
-Installation instructions-
1. Download the ROM and GApps(ARM, 10.0, pico) and transfer them to your device.
2. Boot to recovery (TWRP recommended).
3. Do a full backup of your device
4. Wipe the System, Cache, Data and ART/Dalvik cache. (Recommended)
5. Flash the ROM Zipfile.
6. Flash the GApps (optional, needed for e.g. Google Playstore to work).
7. Flash the root solution of your choice (optional).
8. Reboot your device.[/SIZE]
TWRP 3.7.0 SM-T350 IMG DOWNLOAD
TWRP 3.7.0 SM-T350 ODIN DOWNLOAD
TWRP 3.3.1 SM-T350 DOWNLOAD
If you are having problems flashing this ROM you are most likely running into issues other members were having with the device most of which were already solved, please spend some time reading through this post of other posts related to this device.
-Backlight issues-
Read this post https://xdaforums.com/showpost.php?p=83488241&postcount=41
Thanks
@retiredtab for all working tirelessly on the android 10 build especially for the audio fix
@lividhen99 for keeping the Pie builds going
CrDroid team
XDA:DevDB Information
crDroid Android 10.0, ROM for the Samsung Galaxy Tab A series
Contributors
nubianprince
ROM OS Version: Android 10
ROM Kernel: Linux 3.10.x
Based On: lineageos
Version Information
Status: Stable
Stable Release Date: 2020-11-08
Created 2020-09-03
Last Updated 2020-11-0822I've been MIA for a while taking care of some projects, instead of spending time fixing these issues on Android 10, i will build android 11 and work on these issues in that build.11Oops! Sorry I must have deleted it when I was cleaning out my Google drive. Here's another link.
Marshmallow - Google Drive
drive.google.com
