As I feared, Google is against letting people tweak SELinux. This is stated explicitely in the Android Compatibility Definition Document:
SELinux or any other security features implemented below the Android
framework:
However, the good news is that there is indeed a FOSS project porting SELinux tools to Android: setools-android. This tools ports the usual seinfo
and sesearch
commands as can be found in the upstream SELinux Tools project, but it also adds the sepolicy-inject
command which allows to modify the current policy or set a domain in permissive mode.
This however suffer from a big issue: unlike on standard computers, modifications made to the /sepolicy
file which stores SELinux policy are not persistent and will be lost upon device restart.
In fact, this file as part of the root directory is stored in a RAM disk image which, in turn, is stored in the device's boot image and extracted during the device's boot sequence. To apply permanent modification to this file it is therefore necessary to modify the version stored within the device's boot image.
While the operation may still be possible from the device itself (as far as I know SuperSU for instance updates the boot image as part of its installation procedure), for my use-case I find it more convenient to do the operation from an external computer connected to the phone (here is my detailed procedure). Tools running on the device still remain useful though when frequent checks and updates of the SELinux policy are required (typically during development stages) and for automation (if a project needs a SuperSU-like installer for instance).