When developing Android from AOSP, you may sometimes encounter SELinux denials that block app behavior or system services. While the ideal solution is to define proper SELinux policies, in early development stages it can be helpful to temporarily switch SELinux to permissive mode. This allows the system to log violations without enforcing them—providing visibility while avoiding crashes.
In this guide, we’ll walk you through the correct way to make SELinux permissive in AOSP builds by modifying BoardConfig.mk, the configuration file that governs device-specific build flags.
🧭 Step-by-Step Guide: Make SELinux Permissive via BoardConfig.mk
📄 1. Open Your BoardConfig.mk
Navigate to your device’s config folder. For example:
device/<vendor>/<device-name>/BoardConfig.mk
✏️ 2. Add the Following Line
Append the following kernel command-line argument:
BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
This tells the kernel to boot Android in permissive SELinux mode. In permissive mode, SELinux still logs violations, but it does not block any actions.
⚠️ 3. Use Only for Development
Do not use this in production builds! Permissive mode disables SELinux enforcement, reducing security and increasing the risk of exploitation.
🛠️ Rebuild Your Android Image
After saving the changes:
source build/envsetup.sh
lunch <your_device_target>
make -j$(nproc)
Then flash the updated image:
fastboot flash boot boot.img
fastboot flash system system.img
🔍 How to Verify It Worked
Once your device has booted, check the SELinux status:
adb shell getenforce
If everything worked, it should output:
Permissive
🚫 Alternative: Avoid Full Device Permissive
If you only want a specific domain to be permissive, it’s better to adjust your SELinux policy instead of making the whole system permissive. Let us know if you need help with that!