Producing a user build of AOSP with permissive SElinux policy

Question

I am going to build an AOSP 13 for a Pixel 4a device. I have embedded a few system apps related to OTA functionalities. So, the system needs to be set permissive after each boot operation. I know that the following rule works for userdebug and eng builds.

BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive

But I am going to deliver the device to a third-party user, and I need to produce a user build. However, the above-mentioned approach does not work for a user build. I know that I should either write a specific policy for this purpose or modify the system policies like allow and neverallow rules. Is there any experience, solution or tools that have already implemented this process?

Answer 1

Finally, I could handle the situation by hacking two functions of selinux.cpp placed at system/core/init in AOSP 13 source code. According to the code demonstrated below, I just enforced selinux to set permissive state under any circumstances, regardless of enforcing status coming from build types like user build by returning SELINUX_PERMISSIVE value for function StatusFromProperty(), and returning false for function IsEnforcing(). In these situations, selinux only sets to be permissive.

EnforcingStatus StatusFromProperty() {
    return SELINUX_PERMISSIVE; //in early stage, the function returns permissive status
    EnforcingStatus status = SELINUX_PERMISSIVE;
    ImportKernelCmdline([&](const std::string& key, const std::string& value) {
        if (key == "androidboot.selinux" && value == "permissive") {
            status = SELINUX_PERMISSIVE;
        }
    });

    if (status == SELINUX_ENFORCING) {
                        status = SELINUX_PERMISSIVE;
    }
    return SELINUX_PERMISSIVE;
}

bool IsEnforcing() {
    return false; //selinux returns false under any enforcing circumstances. 
    if (ALLOW_PERMISSIVE_SELINUX) {
        return StatusFromProperty() == SELINUX_PERMISSIVE;
    }
    return true;
}

I have tested the above-mentioned code for a user build on a Pixel 4a device with Android 13, and it really works!