Discussion  - 
 
The latest firmwares for the GT-I9505 Galaxy S4 LTE have SELinux enabled and set to enforcing by default. These are official retail firmwares that will be available for download by normal end-users through KIES or OTA updates. The Samsung Unpacked event today put a bit of emphasis on their KNOX security package, possibly this is related, as these firmwares were also released today.

The firmware I personally played with (available from SamMobile.com) were all marked I9505XXUDMGG , though others say ...H8 also has this.

Thought some of you might want to know about this development, and poke at it. I haven't run into any (non-root) apps that had any problems with it yet, so it seems to be fine so far.

su calls are detected and you get a nice little popup which claims it stopped some process, but it really hasn't. With some adjustments, SuperSU was made to work pretty much as it always has.
14
3
Jorrit Jongma's profile photoGregor J. Rothfuss's profile photoMark Manning's profile photoeagle wings's profile photo
5 comments
 
OK.. What policies are they enforcing? I've been playing with this in the previous releases and have only managed to make android crash. What does this matter? No root allowed?
 
I'm not sure of the exact policies, I only played with it to get SuperSU to work. I've not compared them to the standard 4.3 policies or the original SEAndroid ones. Take a look for yourself if you want - I just posted the information here because I know some of the readers here are interested in SELinux, and a retail firmware having it set to enforcing is (I believe) a first. 
 
Ah. You added much more. Your original post was basically that it is there. I see that they are attempting to block traditional root, but apparently your service is unaffected? Do you suppose that there may be a problem in the future with your service if they update policies remotely?
 
I don't have an i95xx. I have AT&T variant. What happens if you rename the process? I'm wondering if they are monitoring SUID, or if they are just blocking binaries named su.
 
Sure, there may be a problem in the future if they update. They are monitoring more than the binary name, I've tested that. I'm not sure what call triggers this popup. I do intend to find out, but I'm going to hang back with that until there are kernel sources for a KNOX firmware, as it will probably be much easier to find.
Add a comment...