Introduction to SELinux on Android

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system implemented in the Linux kernel. On Android, SELinux plays a critical role in enhancing device security by confining privileged processes and services to the minimum set of permissions they need. Unlike traditional Discretionary Access Control (DAC) where file owners dictate permissions, SELinux policies are system-wide and enforced by the kernel, providing a robust layer of protection against privilege escalation and malicious exploits.

Android transitioned to enforcing SELinux mode fully since version 5.0 (Lollipop). This means every file, process, and system resource on an Android device has an associated SELinux context, and every access attempt is checked against the loaded SELinux policy.

Understanding SELinux Contexts

At the core of SELinux is the concept of a “security context” or “label.” Every subject (process) and object (file, socket, IPC, etc.) has a context. These contexts are strings that describe the security attributes of the entity. A typical SELinux context has four components:

The Four Components: user:role:type:sensitivity

• User (u): Represents a specific SELinux user. On Android, this is almost always u (for unconfined) as multi-user SELinux is not fully utilized in the same way as traditional Linux distributions.
• Role (r): Defines an authorized set of types that an SELinux user can access. For Android, the role is typically object_r for files and r for processes.
• Type (t): This is the most crucial component for Android’s security model. It defines the security attributes of a file or process, such as system_server, zygote, app_data_file, etc. SELinux policy rules primarily govern interactions between types.
• Sensitivity (s): Represents a Multi-Level Security (MLS) or Multi-Category Security (MCS) level. Android utilizes MCS, typically denoted as s0, which is often combined with categories (e.g., s0:c1,c2) for app sandboxing.

For most practical purposes on Android, you’ll be primarily concerned with the type component of the context.

File Contexts

File contexts define the security type for files and directories. These contexts are typically assigned during initial filesystem creation, or via policy updates and `restorecon` operations. They are crucial for determining which processes can read, write, or execute which files.

You can view the SELinux context of files using the -Z option with the ls command:

adb shell ls -Z /data/data/com.example.myapp
drwxr-x--x u:object_r:app_data_file:s0:c123,c456 com.example.myapp

In this example, app_data_file is the type for the application’s data directory. Temporarily, you can change a file’s context using chcon, though this change is not persistent across reboots or `restorecon` operations:

adb shell chcon u:object_r:vendor_file:s0 /data/local/tmp/mybinary
adb shell ls -Z /data/local/tmp/mybinary
-rwxr-xr-x u:object_r:vendor_file:s0 mybinary

Process Contexts

Process contexts define the security type for running processes. When a process starts, it inherits the context of its parent, but can then transition to a new domain (type) based on SELinux policy rules. This