Hi, AOSP has introduced some changes on the master branch to automatically set enforcing mode [1] and to introduce a ro.boot.selinux option to control the initial enforcing mode [2]. They also introduced a change to ensure that /sys is correctly labeled after policy load [3]. We have merged these changes onto our seandroid branch.
On AOSP master, the default setting of the global enforcing mode has limited effect because most domains are presently unconfined or permissive. On our seandroid branch, the default setting of the global enforcing mode means that all domains are enforcing from the time that init sets the enforcing mode. You can still switch to permissive temporarily from SEAdmin or from su (if a -userdebug build), but the device will always start in enforcing mode unless you override the ro.boot.selinux option. [1] https://android-review.googlesource.com/#/c/64723/ [2] https://android-review.googlesource.com/#/c/64724/ [3] https://android-review.googlesource.com/#/c/64725/ -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
