Set SELinux to Permissive with SELinuxToggler App


Want to set SELinux to Permissive mode on your Android? This app will help you do that in a matter of seconds.

SELinux is a Linux kernel security module that was implemented to Android ecosystem in Android 4.3. While it was a huge step towards better Android security, but at the same time also proved to be a hitch for the custom Android universe. It brought problems to root methods and popular mods like Xposed Framework. But with time, the genius minds at XDA community made it possible, and we were again able to enjoy our favorite mods and root (SuperSU).

If you have dealt with SELinux in the past, you would be well acquired with a tool, namely “SELinuxModeChanger”. And as the name suggests, it helped you switch between SELinux permission modes on your Android. The development of the app was soon halted and the developer (XDA member – MrBIMC) finally discarded the project. While the app still works great for Lollipop, and also some devices using Marshmallow, but it has finally reached its end-time with Nougat.

Why would you set SELinux to Permissive?

Since the beginning we have obeyed the old-school mythology, that root permissions on your Android would let you do anything with your device. But with the introduction of SELinux protocol, even root apps could be denied permissions to access certain files or perform several actions. It is one of the reasons that many of you are still not able to get mods like ViPER4Android working correctly.

SELinux changer to Permissive

On every device with Android 5.0 and above, SELinux is fully enforced (Enforcing mode). So to get things in line, the last resort is to change the and set SELinux to Permissive mode. Let us see below how these two modes work.

  • Enforcing: Any process/service that is not explicitly allowed is not only logged but is also enforced denial of permissions. So even if you have root, you won’t be allowed to perform certain actions.
  • Permissive: While if you are able to change it and set SELinux to Permissive, those specific processes/services will only be logged and the permission denial will NOT be enforced.

So with the Permissive mode, your root apps or mods will again have full power over your Android device.

Install SELinuxToggler

SELinuxToggler offers to switch SELinux modes through an Android application user-interface. It has been developed by XDA member Ibuprophen, who decided to take over the project and made necessary changes to make it support the latest Android version. It can be installed and used on any device with Android 4.2 or above.

Install SELinuxToggler applicationSo if you have been using modified boot script mods previously on Nougat, you can just relieve yourself from them and use this app to make things easy again.

The app could be installed either by simply installing the APK or by flashing a flashable zip through TWRP. So choose your desired method and get your installation file from here. You must also have a proper root method (preferably SuperSU) and Busybox installed on your Android.

How to Set SELinux to Permissive

Run the app once it has been installed on the device. If you are prompted for root permissions on the first run, then make sure to grant them. The app’s UI is pretty straightforward with just two buttons. You can simply tap on the Permissive button to change the SELinux status.

Set SELinux to Permissive using SELinuxTogglerHowever the app still has limitations. It will still not be able to make permanent changes to the boot script. So every time you reboot your device, the SELinux status will be rolled back to “Enforcing”. But then, the app will automatically launch (along with the other apps that are set to automatically launch upon boot), and will then set the SELinux back to Permissive. No further action would be required unless you decide to open the app and change the SELinux mode back to Enforcing.

So now, you can easily use mods like ViPER4Android without any issues. If you have any problems or questions, post a comment right away. And don’t forget to share this article on your social profiles by clicking the buttons below.

  • I worked for quite some time on this app beginning with fixed flashable zip files within the SELinuxModeChanger thread.

    I then finally implemented those fixes that I had applied within the SELinuxModeChanger zip files in the new SELinuxToggler app and then, when it was eventually stable enough, posted the new SELinuxToggler thread and released the first stable version.

    It’s still a work in progress but, I’ve received very good feedback on the new app.

    I hope everyone enjoys it and I thank everyone for their support through this long process.

    SELinuxToggler Developer

    • Dhananjay

      It’s a pleasure having a word directly from the developer himself. I believe the app will be widely used once more users get to know about it! 🙂 Thank you for your work.

  • Tsiriniaina Rakotonirina

    Thanks a lot Dhananjay for this very full explanation. I appreciate it.
    I’m on S7 edge Nougat, and the only reason I am rooted is because of f.lux or CF.Lumen. But even if I’m rooted using Magisk, I am still not able to make them running because of this Enforcing SELinux.
    I tried to use SELinuxToggler, and when I set to permissive, it reboots right away and come back to Enforcing every time. I repeated it twice and stopped. Is there a way to make a change on Nougat? Do you know any solution?

    • Hi! You’re welcome, and that’s what I am here for. 🙂

      The app is known to have issues with Samsung KNOX and Magisk. While KNOX is a rare case, Magisk could be the real problem here. Have you tried it with SuperSU, instead?

      • Tsiriniaina Rakotonirina

        Wow, thanks a lot for your very quick response.
        Yes, I tried already to root my S7 edge with SuperSU, but then I lost my fingerprint sensor.
        I tried already other different way of rooting it, even in replacing the rom with Toxic, but I had much more issues than using Magisk. I don’t know if you can help me on that, but I repeated the process at least 17times (Format, Install, Root, Restore …) and I finally stick with Magisk. But I’m open to your help if you find a way to get the s7 Edge Snapdragon rooted on SU safely.

        • How did you root using SuperSU? I mean did you flash the zip or used CF-Auto-Root?

          It seems like Snapdragon S7 already contradicts many regular methods.

          • Tsiriniaina Rakotonirina

            It was by Flashing the zip through TWRP.

            I followed this and my fingerprint failed (4 times I repeated the process over and over again):
            1. I tried the root only, the fingerprint failed.
            2. I tried flashing Toxic, but there are too much issues, so I prefer to go back to stock.
            3. I tried the Marshmallow, and everything seems to be perfect, except I am missing the Nougat functionalities. So, I went back to nougat.

            Then, I followed this but failed in bootloop:

            Then finally, I went back to Magisk:

            But still, my f.lux or CF.Lumen is still failing to work.

          • Give a try to CF-Auto-Root.
            1) Unroot by removing Magisk completely.
            2) Download the one for your device model:
            3) Extract the zip, connect the device and run the installer.

            See if it helps anyhow. BTW, what error does f.lux or CF.Lumen show? Any specifics?

          • Tsiriniaina Rakotonirina

            Thank you. I will and let you know. (y)

          • Tsiriniaina Rakotonirina

            Hi Dhananjay,

            Here I tried the CF-Auto-Root and it fails to be flashed using Odin. What do you think is the reason?

            Concerning f.lux, it gained root, but is not working. CF.Lumen as well gained root but shows that “SELinux is set to Enforcing, but your root does not provide the required supolicy tool. Switching SELinux to Permissive or installing SuperSU may fix the problem.”


          • The Odin log shows a block size mismatch, are you sure that you’re using the right file for your device model?

            Plus, have you given a try to “Twilight”? A lot of people recommend it. Here is a link:

            See if it works with Magisk.

          • Tsiriniaina Rakotonirina

            Yes, apparently, my device model is SM-G9350:

            But it still failing.

            Yes, I used already Twilight, but it’s not like f.lux or CF.Lumen because with the 2 later ones, because of root, they are able to invert color and access the GPU and delete completely the Blue color.
            However, Twilight only put a mask on the top of the screen reducing only the blue color.
            ===> The Darkroom of f.lux is incomparable, especially when you use your phone in a darkroom.

          • Is your S7 completely decrypted? Or the is it encrypted?

          • Tsiriniaina Rakotonirina

            Completely decrypted. I don’t appy any encryption on it.

          • That’s actually automatically forced. Go to Settings > Security and check if the encryption option is available or greyed out.

  • anandsr

    Hi Dhananjay,

    I am compiling Android 7.1 (including kernel) for my device, and tried to remove the SELINUX module by commenting out CONFIG_SECURITY_SELINUX. This used to work for Android 5, for disabling SELINUX. But Android 7 refuses to boot. Any idea, why this may happen?

    Same behavior.

    Probably there is some new entity that does not allow booting if SELINUX is disabled.

    I tried setting setenforce = 0 in the init.rc under onboot. The system shows permissive state, but I can still see my apps being denied access.

    I am at my wits end. I don’t see what else I can do to get my apps working short of modifying and defining policies for my new apps, which would be a major undertaking of understanding SELINUX.

    Thanks for any help you can give.


    • Hello, i am not sure if I am the right person to ask this question, since have been out of the development scene since 6.0 was released. But anyhow, things are way, way more different than what were in 5.0 Lollipop. I don’t think its possible to disable SELinux. If you’re talking about dm-verity and forced-encryption, then that is something that could be done easily.

      There’s a reason that you cannot set Permissive SELinux and let it stick even after a reboot. That’s the reason this app was developed, to make things more handy for a front-end user.

      Here’s a scenario where a developer is trying to do something similar:

      • anandsr

        Thanks for the reply.

        • You’re welcome and I hope you find the answer you’re looking for. Good luck!