init: set default selinux mode to permissive

To support selinux enforcing mode, we still have a long way to go.
Let's set the default mode to permissive.

diff --git a/init/Android.mk b/init/Android.mk
index 32d79e2..9eea4b7 100644 (file)
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -7,7 +7,7 @@ LOCAL_PATH:= $(call my-dir)
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
 init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1
 else
-init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0
+init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=1
 endif
 
 init_options += -DLOG_UEVENTS=0

diff --git a/init/init.cpp b/init/init.cpp
index eb0e2c3..16402ad 100644 (file)
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -502,11 +502,11 @@ static void selinux_init_all_handles(void)
 enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
 
 static selinux_enforcing_status selinux_status_from_cmdline() {
-    selinux_enforcing_status status = SELINUX_ENFORCING;
+    selinux_enforcing_status status = SELINUX_PERMISSIVE;
 
     import_kernel_cmdline(false, [&](const std::string& key, const std::string& value, bool in_qemu) {
-        if (key == "androidboot.selinux" && value == "permissive") {
-            status = SELINUX_PERMISSIVE;
+        if (key == "androidboot.selinux" && value == "enforcing") {
+            status = SELINUX_ENFORCING;
         }
     });