SELinux in Android

[Praveen Kotari]

can any one help me understanding SELinux in Android, how this works and how this can be customized. 

[Android Automotive OS Discussion Group]

 https://source.android.com/security/selinux has documentation and it would be your good starting point. 

[William Smith]

After you read the documentation, then this much I can say:

If you create a new service, HAL, app that uses it, etc:

- you need to define an selinux context with an appropriate name

- you need to add your files, app, executable, etc. to that context

- those files go into your device target folder under sepolicy and get added to your target makefile

- the sepolicy files are compiled into a blob that is loaded by the kernel

- it is a MAC (mandatory access control) security scheme (Ubuntu uses something called apparmor)

- error messages show up in dmesg (grep "avc" to filer them)

- avc error messages can be used to generate rules to a certain extent using audit2allow

    (it doesn't help with file, app, etc. contexts)

- "setenforce 0" (or 1) disables it and enables it in a userdebug build

- here's some of the internal Android .te files with selinux policy rules in them with some documenation

- there are a thousands of selinux rules in Android

http://androidxref.com/9.0.0_r3/xref/system/sepolicy/

And some added for a specific product:

http://androidxref.com/9.0.0_r3/xref/device/google/marlin/sepolicy/

Treble uses selinux to enforce the separation between the vendor and system partitions.

Good luck!