What are the SELinux modes?

  • Enforcing: in this mode, SEPolicy is enforced on system services, thus device is more secure, and harder to exploit, maintainers are required SEPolicy rules for all the device functions to work and for all features to be fully functional.
  • Permissive: in this mode, SEPolicy isn’t enforced, but basic definitions are used just for the phone to boot and basic functionality to work, further rules might be needed by the maintainer to get the phone to a “stable” state on permissive but not as close to those needed on Enforcing mode, this mode is usually not suggested for daily driver builds due to it being a Security Compromise, and is sometimes used in testing until things are final so the Developer works on SEPolicy.