SELinux operates on the ethos of default denial. Anything that is not explicitly allowed is denied. SELinux can operate in one of two global modes: permissive mode, in which permission denials are logged but not enforced, and enforcing mode, in which denials are both logged and enforced. SELinux also supports a per-domain permissive mode in which specific domains (processes) can be made permissive while placing the rest of the system in global enforcing mode. A domain is simply a label identifying a process or set of processes in the security policy, where all processes labeled with the same domain are treated identically by the security policy. Per-domain permissive mode enables incremental application of SELinux to an ever-increasing portion of the system. Per-domain permissive mode also enables policy development for new services while keeping the rest of the system enforcing.
In the Android 5.0 (L) release, Android moves to full enforcement of SELinux. This builds upon the permissive release of 4.3 and the partial enforcement of 4.4. In short, Android is shifting from enforcement on a limited set of crucial domains (
zygote) to everything (more than 60 domains). This means manufacturers will have to better understand and scale their SELinux implementations to provide compatible devices. Understand that:
- Everything is in enforcing mode in the 5.0 release
- No processes other than
initshould run in the
- Any generic denial (for a block_device, socket_device, default_service, etc.) indicates that device needs a special domain
See the documentation below for details on constructing useful policies: