Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is ro.build.selinux set to 0 while still enforcing? #1477

Closed
TheDauntless opened this issue May 20, 2019 · 4 comments
Closed

Why is ro.build.selinux set to 0 while still enforcing? #1477

TheDauntless opened this issue May 20, 2019 · 4 comments

Comments

@TheDauntless
Copy link

Multiple sources state that the proprty ro.build.selinux is a "dangerous property" that can be used to detect rooted devices:

On my test device (Nexus 6, Android 7.1.2, Magisk v19.1), this property is set to 0, although getenforce returns "Enforcing"

hammerhead:/ $ getenforce
Enforcing
hammerhead:/ $ getprop | grep selinux
[ro.build.selinux]: [0]
[selinux.reload_policy]: [1]
hammerhead:/ $

My take on this is that ro.build.selinux should always be 1 (and definitely with Magisk Hide enabled). My questions:

  • Why is it reporting 0?
  • If the system is in enforcing mode anyway, why is it disabled?
  • Why is 1 considered the dangerous value, since having 0 for any Android version > 5 is an obvious tell of something being wrong.

Any push in the right direction is appreciated :).
@topjohnwu
Copy link
Owner

I believe the proper value is 0, this value is there for years :)

@TheDauntless
Copy link
Author

Thanks for replying.

On my non-rooted S8, the value is 1, which means that the system has been built with SELinux support.

+ * Determines if the platform was built with SELinux Support.
+ * @return a boolean indicating whether or not the system was
+ * built with HAVE_SELINUX:=true.
+ */

https://selinux.tycho.nsa.narkive.com/Sm3AJGI8/adding-support-for-ro-build-selinux-to-android-os-selinux

I was expecting getenforce to rely on this property, but it actually checks the /selinux mountpoint, so there doesn't seem to be a direct link between them.

I believe the proper value is 0, this value is there for years :)

Do you have any documentation on this? As I stated, my non-rooted phone has 1 for this flag, so it would be weird if Magisk hide changes this to 0.

Do you think changing this behaviour would break some functionality? Maybe Magisk should store the original value during installation time? Or maybe Magisk just shouldn't change it?

@Ingan121
Copy link
Contributor

It seems Rootbeer is falsely detecting ro.build.selinux=0 as enforcing. Its SELinux check also fails on non-rooted devices, too.
Native Root Checker detects it fine, and it cannot be passed without resetprop ro.build.selinux 1.

@TheDauntless
Copy link
Author

So doesn't it make more sense if Magisk Hide forces it to 1, as that is the most secure state and it would be in line with getenforce?

@osm0sis osm0sis mentioned this issue Mar 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TheDauntless @topjohnwu @Ingan121