Tip

How to manage and modify SE Android

SE Android protects against malware, but it can also block regular functions. You can modify SE Android settings to re-enable those apps and features.

You can modify SE Android to monitor devices and improve security, but doing so requires rooting devices, so it isn't for everyone.

Security enhanced (SE) Android is based on SELinux, a set of kernel add-ons and access control tools that let apps and other software run with only the minimum privileges they need to work correctly. This helps lessen the damage that malware can do, but it can sometimes block applications or functions that employees might need. SELinux comes with many features that allow server admins to permit functions that SELinux might otherwise block. On Android devices running operating system version 4.2 and up, these tools are available as well, and you can modify the default SE Android behavior as long as you have shell and root access to the Android devices.

Getting shell access is easy: Have users download SSHDroid, an Android app that allows you to access their devices from a computer using Secure Shell (SSH). Gaining root access may be a bit more complicated. You can either use the Android Debug Bridge (adb) command, which is part of the Android software developer's kit (SDK), or you can root the device to get full access. Taking this approach isn't for everyone because device vendors don't support rooting.

Running SE Android commands from the Android shell

Once you've obtained access to the Android device, run the getenforce command, which tells you which mode SE Android is currently operating in. In Android 4.2 and 4.3, SE Android runs in Permissive mode by default. In Android 4.4 and later, SE Android runs in Enforcing mode, which provides more protection than Permissive mode. Enforcing mode prevents malicious actions and logs application data to offer device protection, whereas Permissive mode only logs system calls; it doesn't block anything.

Before you switch a device to Enforcing mode, you need to see if SE Android is blocking apps and functions that you don't want to be blocked. Find out by typing dmesg | grep avc. The dmesg command shows you all events that the kernel has logged, and grep avc lets you see all system calls that SE Android has blocked.

Understanding SE Android denials

Unfortunately, it can be difficult to understand the messages that SE Android logs. All of the avc messages indicate an action that SE Android blocked, but the logs cannot tell you if it was a malicious action or an action that should normally have been allowed. Sometimes you won't be able to tell what is being blocked or why. If the log messages leave you confused, try switching the device to Enforcing mode and see what happens. This will block many functions on the device, but it will also let you see what functions will and won't work anymore.

To put a device in Enforcing mode, use the command adb shell su 0 setenforce 1, then reboot the device. Try some apps after the reboot and see which ones work. Taking inventory will help you decide which apps and actions to re-enable. You will need to create rules to enable those features. The easiest way to do that is to capture all the denial messages, store them in a file and apply that file to the SE Android environment of a device with audit2allow using the command adb shell su 0 cat /proc/kmsg > denial.txt &.

Before continuing, look at the file and try to understand why the denial messages are coming in. Once you're confident that you want to allow the system calls that had previously been denied, you can use the command audit2allow -p out/target/product/<your-device-here>/root/sepolicy < denial.txt. This opens SE Android for all system calls that were previously blocked.

Dig Deeper on Mobile operating systems and devices