SELinux

SELinux, or Security-Enhanced Linux, is a mandatory access control (MAC) security mechanism integrated into the Linux kernel and, consequently, the Android operating system.

It is a set of rules that are enforced by the kernel.

It restricts the actions that processes and users can perform on the system.

SELinux depends on lables to enforce access control.

SELinux operates on the priciple of Default Denial. That is, everything is denied unless explicitly allowed.

Syntax

allow <domain> <type>:<class> <permissions>;

Example 1:

allow system_server system_file:file read;

Meaning:

system_server domain
can read
system_file type

Example 2:

allow system_server camera_device:chr_file rw_file_perms;

Meaning:

system_server can read/write camera device

Example

Imagine we have an Android application that attempts to control the device’s flashlight by writing to the file /sys/class/leds/flashlight/brightness.

However, SELinux steps in and prevents this action, resulting in an AVC denial.

`neverallow`

Example:

neverallow appdomain system_file:file write;

Meaning:

Apps can NEVER write system files

Build fails if violated.

SELinux Policy Files

Policies live in:

system/sepolicy/

Operation Modes

SELinux can operate on two global modes:

Permissive Mode: Violations are logged but not blocked.

avc: denied

Enforcing Mode: Violations are logged and are blocked.

avc: denied { read } for pid=1234 comm="system_server"

Types of Access Control Models

MAC (Mandatory Access Control): The system determines which subjects (android processes) can access which objects (files, sockets, ports, etc.).

DAC (Discretionary Access Control): The owner of an object specifies which subjects can access the object.

Last modified: 19 March 2026