Android 4.4.x Kitkat (this includes the 4.4.1 & 4.4.2 updates) has updated the SELinux mode from “permissive” in Android 4.3 to “enforcing” mode. For those running Android 4.3, this does have SELinux logging but didn’t have an enforced mode which in Android 4.4 now blocks escalation attacks i.e. an app gaining root privilege. All in the name of security. 🙂
Logging and Enforced mode needs to be enabled on Android 4.4.x for “enforcing” mode to work. It’s no easy job to set this up for the average user though. We will be testing “enforcing” mode on 4.4.2 later this month (January 2014). As for Android 4.3 (ours was Maguro) you do <getenforce> in root/SU and it showed us that SELinux was in permissive mode – in other words it was just logging (although auditd wasn’t setup) any SELinux denials.
Android 4.3 does allow a rooted device to put this into enforcing mode if the user wishes. You would use <adb shell su 0 setenforce 1> to enable enforcing mode. For logging to work ‘auditd‘ would need to be running as well. You also have the option to disable the use of a SELinux policy. All devices would need to then be re-flashed for these security enhancements to take affect. It’s unlikely that most users (other than modders/ developers) would know how to do this.
SELinux looks like it is causing some rooted apps to break. One such suggestion is to switch from “enforcing” mode to “permissive” mode. This is only a temporary fix though. Here is an Android app called SELinux Mode Changer which is available from the Play Store. Your device will need to be rooted so you can install and run to enable “permissive “ mode. You can also download SELinux Mode Changer from xdadevelopers.
Safe surfing folks!