Overview of SELinux and Its Use in Android

This article provides a comprehensive overview of SELinux (Security‑Enhanced Linux), its core architecture, fundamental principles, and how it is integrated into the Android operating system.

1. SELinux Overview

SELinux was initiated by the U.S. National Security Agency (NSA) with contributions from Secure Computing Corporation, MITRE, and academic institutions. It was first released in December 2000 under the GPL license and later merged into the Linux kernel as a Linux Security Module (LSM) starting with kernel 2.6.

SELinux implements Mandatory Access Controls (MAC) by assigning a security context to every object (files, processes, sockets, etc.). Access decisions are based on type enforcement, Multi‑Level Security (MLS), and Role‑Based Access Control (RBAC).

The main components of SELinux are:

SELinuxFS – auxiliary module for handling the file system.

LSM hook sets – integration points in the kernel.

Security Policy Database.

Security Label verification module.

Access Vector Cache (AVC) – caches access decisions for performance.

2. Basic Principles

SELinux is a classic MAC implementation. Each object receives a security context in the form user:role:type[:range] . The type (or domain for processes) is used in Type Enforcement (TE) rules to decide whether a subject may access an object of a given class and permission.

Two major MAC mechanisms are supported:

Type Enforcement (TE) – the most widely used, checks type against object class and permission .

Multi‑Level Security (MLS) – based on the Bell‑LaPadula model, uses the optional range field for hierarchical clearance.

3. SELinux and SEAndroid

Android builds on the standard Linux kernel, so SELinux can be enabled. Starting with Android 5.0 (Lollipop), SELinux is enforced by default and tightly integrated as SEAndroid.

4. SELinux Evolution in Android

Early Android (e.g., KitKat 4.4) used SELinux in permissive mode for a few privileged processes. From Lollipop onward, SELinux runs in Enforcing mode, which logs and blocks violations. Permissive mode only logs, while Enforcing mode both logs and blocks.

5. Impact of SELinux on Android

Strictly limits root privileges.

Reduces attack surface for critical system processes.

Strengthens the app sandbox.

Enables dynamic adjustment of app permissions.

6. SELinux Policy on the Device

Key policy files on an Android device include:

/sepolicy – compiled policy binary.

/file_contexts – mapping of filesystem paths to security contexts.

/seapp_contexts – defines app security contexts.

/service_contexts , /property_contexts , etc.

During KitKat, SELinux settings were experimental and could be overridden by files under /data/security/current/ . Later versions use /selinux_version to match the build fingerprint.

7. Policy Changes in Android O

Android O (8.0) introduced a major architecture split (system, vendor, ODM) and consequently separated SELinux policies:

Public – definitions shared between system and vendor.

Private – system‑only definitions.

Vendor – vendor‑only definitions that may reference public items.

Mapping – compatibility layer for older policy versions.

Policies are now expressed in CIL (Common Intermediate Language) rather than the traditional binary format. System policies reside in system/etc/selinux , while vendor policies are in vendor/etc/selinux .

8. Example Domain and Object Transitions

Domain transition example (init launching Apache):

allow init_t apache_exec_t : file {read getattr execute};

allow init_t apache_t : process transition;

allow apache_t apache_exec_t : file entrypoint;

type_transition init_t apache_exec_t : process apache_t;

Object transition example (ext_gateway creating a file in in_queue_t directory):

allow ext_gateway_t in_queue_t : dir { write search add_name };

allow ext_gateway_t in_file_t : file { write create getattr };

type_transition ext_gateway_t in_queue_t : file in_file_t;

9. References

1. Android security documentation – https://source.android.google.cn/security/selinux 2. SELinux for Android – http://selinuxproject.org/page/NB_SEforAndroid_1 3. SELinux CIL project – https://github.com/SELinuxProject/cil