About Closing SELinux

Question

About Closing SELinux

YeJZ opened this issue 2 years ago · 3 comments

YeJZ commented 2 years ago

Hi, here is my reprodued exploit on Pixel 6:

I noticed that we need to manually execute setenforce 0 after using magisk to escalate to ROOT.

But in mymod.c, I see that the KO file already has the code to set SELINUX to Permissive mode.

Why do we need to manually set setenforce to 0 when selinux is already set to permissive in the KO file?

Answer 1 · 2022-04-26T14:19:43.000Z

Because you are in a permissive domain.
Permissive domain means permissive mode only when you are in that domain. The kernel module put vendor_modprobe onto a permissive domain.

You need setenforce 0 if you want all domains on the system to be permissive. But I don' think you need that because u:r:magisk:s0 is also a permissive domain. When you run su command, all operations is executed on the permissive domain.

Answer 2 · 2022-04-26T15:12:23.000Z

OK.I see a lot of chcon conmand in the script named Start-Root,so it is the reason that u:r:magisk:S0 is a permissive domain, Right? And we can execute chcon command only if we are already in a permissive domain, that's why we need to set vendor_modprobe onto permissive domain first.

Answer 3 · 2022-04-27T05:58:02.000Z

OK.I see a lot of chcon conmand in the script named Start-Root,so it is the reason that u:r:magisk:S0 is a permissive domain, Right?

Yes.

And we can execute chcon command only if we are already in a permissive domain, that's why we need to set vendor_modprobe onto permissive domain first.

Yes.