The value of EnableSeLinux is Disabled more better than Permissive.But the Android Nougat has a bug that it don’t set the EnableSeLinux as Disabled.
1 Like
I Understand.
But root does not work on my android M & N… I don’t know why…
I am at home.you can check the printing log.
Make sure the value of android.bootselinux in cmd line is permissive
Yes, I checked my log
androidboot.selinux=permissive
But then:
[ 4.940795@0] init: (Initializing SELinux enforcing took 0.28s.)
because
shell@Vim:/ $ getprop ro.build.type
user
but we need eng or userdebag for desable selinux
1 Like
Didn’t you lunch the userdebug?Oh my god,Yes,You need to lunch eng or userdebug
The instructions say:
For Andriod Marshmallow: lunch kvim-user-32
For Andriod Nougat: lunch kvim-user-64
Problem is solved. I added “user” on Android.mk and root was work on Marshmallow!
Are You used “userdebug” on your Vim_Marshmallow_Root_170121?
PS: I rebuild nougat after to added “user” on Android.mk. Root is work on Nougat too!!!
Yes,That is good news
Sorry to invade discussion but i’m trying to add SU on Marshmallow AOSP rombuild.
I’m using user build and enabled selinux permissive on it.
i have made also ro.secure=0 ro.debuggable=1 and security.perf_harden=0 (Not sure if needed)
I have also modified to change the su permissions in fs_config.c
I managed to get this work with this guide so that when flashing rom SuperSu ask for updating su binary and after that su works.
I then cleaned work area to verify build by deleting out dir and recompiled. No go anymore.
It isn’t need to do that.
You need to modify the file ‘system/core/init/Android.mk’ when you build the source core using user mode
---- ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
++++ ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
I did build eng build to see if problem was that user build but still i get no SU installed.
AOSP doesn’t seem to have init.d support by default so 99SuperSUDaemon doesn’t get run.
if i run command from 99SuperSUDaemon, SuperUser then notifies that su must be updated and after that it’s working.
i tried to make service to init.rc which would run /system/xbin/daemonsu --auto-daemon & command but then SeLinux kicks in even it’s Permissive.
What’s the permission?Can you paste your log on the post?
Now i got it. It seems that i have previously used eng build in some phase and then moved back to user build so something was in build area to enable root. When cleaned it stopped working.
for the daemonsu i change my init.rc scipt to look like this.
service daemonsu /system/xbin/daemonsu --auto-daemon &
class main
user root
seclabel u:r:su:s0
taken initially from here: https://github.com/lbdroid/AOSP-SU-PATCH/commit/2382d58c2a85f217d94010c1e1ce489933bdef82
This now works.
I had to also make changes to external/supolicy/ files which were described here.
https://forum.xda-developers.com/showpost.php?p=63419048&postcount=7
Had to make some extra policy changes but now root work.
You are right. The best way to allow the permission for the su and not disable the selinux.
Thank for your reply 
Is it anyway so that Nougat has to be set to permissive?
What would be correct way to do that for Nougat? I mean allow root permission but not disable SeLinux.
You need to modify some files the path of external/sepolicy
I think it need to add more permissions support for SU
You can try to add the permissions for SU step by step.
Example:
- If you saw the permission information in printing log like this.
type=1400 audit(1506682612.303:41): avc: denied { getattr } for pid=5121 comm="bootstat" path="/vendor" dev="rootfs" ino=9834 scontext=u:r:bootstat:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
- You need to modify the file ‘external/sepolicybootstat.te’
diff --git a/bootstat.te b/bootstat.te
index 44a8c91..d2fde00 100644
--- a/bootstat.te
+++ b/bootstat.te
@@ -7,6 +7,7 @@ init_daemon_domain(bootstat)
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
+allow bootstat rootfs:lnk_file { getattr };
Have a try.
Thanks.
Is the path to file - external/sepolicybootstat.te - correct?
The only bootstat.te I found at system/sepolicy/bootstat.te. And editing that one doesn’t fix following error:
If you want to fix this permission issue, you need to modify the file ‘system/sepolicy/bootanim.te’.
Add this line into the file
allow bootanim rootfs:lnk_file { getattr } ;
1 Like
Hi, Gytis
These permission issue don’t matter about the SU