About Closing SELinux

[YeJZ]

Hi, here is my reprodued exploit on Pixel 6:

I noticed that we need to manually execute setenforce 0 after using magisk to escalate to ROOT.

But in mymod.c, I see that the KO file already has the code to set SELINUX to Permissive mode.

Why do we need to manually set setenforce to 0 when selinux is already set to permissive in the KO file?

[polygraphene]

Because you are in a permissive domain.
Permissive domain means permissive mode only when you are in that domain. The kernel module put vendor_modprobe onto a permissive domain.

You need setenforce 0 if you want all domains on the system to be permissive. But I don' think you need that because u:r:magisk:s0 is also a permissive domain. When you run su command, all operations is executed on the permissive domain.

[YeJZ]

OK.I see a lot of chcon conmand in the script named Start-Root,so it is the reason that u:r:magisk:S0 is a permissive domain, Right? And we can execute chcon command only if we are already in a permissive domain, that's why we need to set vendor_modprobe onto permissive domain first.

[polygraphene]

OK.I see a lot of chcon conmand in the script named Start-Root,so it is the reason that u:r:magisk:S0 is a permissive domain, Right?

Yes.

And we can execute chcon command only if we are already in a permissive domain, that's why we need to set vendor_modprobe onto permissive domain first.

Yes.