Magisk v11.6 reporting Permissive SELinux and ro.build.selinux

[Didgeridoohan]

Since Magisk v11.5 the system reports SELinux as being disabled/Permissive. But, SafetyNet can still pass and Magisk Hide seems to be functioning. Using the command getenforce in terminal will report "enforcing". This was first thought to be caused by Magisk Hide setting ro.build.selinux=0.

See the logs and speculations in the following posts: https://forum.xda-developers.com/showpost.php?p=71504755&postcount=10477 https://forum.xda-developers.com/showpost.php?p=71504806&postcount=10480 https://forum.xda-developers.com/showpost.php?p=71505607&postcount=10505)

After some testing and trying with Magisk v11.1 and modules, I'm not sure that's the source. Magisk v11.6 sets ro.build.selinux=1 if it's found to be set to 0 and the system still reports SELinux as being disabled/Permissive. I've also confirmed that the "dangerous" prop value some apps look for is ro.build.selinux=1 and those don't complain if it's set to 0. And on my Nexus 6, Pure Nexus 7.1.1, Franco Kernel r65, setting ro.build.selinux=0 does not cause SELinux to be disabled/Permissive. YMMV...

There's something causing SELinux to be reported as Permissive in Magisk v11.5 and v11.6, but it seems this is only cosmetically. What is causing that is the question though...

It may be that it's a good idea though, to leave ro.build.selinux alone and make it up to the user if they want to change that particular prop or not.

[Didgeridoohan]

Did some testing and found the culprit.

It's the new part of Magisk Hide that sets permissions for a couple files ( /sys/fs/selinux/enforce and /sys/fs/selinux/policy) needed for some Samsung users to pass SafetyNet. With those permissions being set through /magisk/.core/magiskhide/enable, SELinux reports as Permissive (or even Disabled to some apps) when Magisk Hide is enabled. Removing/commenting out the two lines fixes the issue.

Setting the permissions for those two files are generally only needed for Samsung custom ROMs and should probably not be set globally...

I still think ro.build.selinux should be removed from being set by default by Magisk Hide though...

[topjohnwu]

Thanks for reporting!!

[Didgeridoohan]

No worries. And continuing on my reasoning about not setting ro.build.selinux by default: Maybe it would be a good idea to let the user be able to toggle which of the props get set by Magisk Hide in the Manager? By that I mean: let Magisk Hide change ro.debuggable, ro.secure, ro.build.tags, ro.build.type and so on by default, but have an option for the user to leave them unchanged in settings, one toggle per prop maybe.

You mentioned something like this in the latest release notes, so maybe you're already on it...

[Ibuprophen]

I just wanted to let you know that, recently, I was looking into why Magisk users weren't able to get their SELinux Mode to change using my SELinuxToggler App located on the following thread:

https://forum.xda-developers.com/android/apps-games/app-selinuxtoggler-t3574688

I've got to be honest and state that, though I was familiar with Magisk in general, I've never had the need to use it so I'm not completely familiar with how it really ticks.

I'm trying to do what I can to try and familiarize myself with, at least, the SELinux portion of Magisk and i would be greatfull for your assistance (if at all possible with your already busy schedule).

Thanks a Bunch!

[topjohnwu]

Fixed