Allow Settings to set enforcing and booleans if settings_manage_selinux is true.

system.te

@@ -24,6 +24,15 @@ unix_socket_connect(system_app, keystore, keystore)
 # Read SELinux enforcing status.
 selinux_getenforce(system_app)
 
+bool settings_manage_selinux true;
+if (settings_manage_selinux) {
+# Allow settings app to set SELinux to enforcing
+selinux_setenforce(system_app)
+
+# Allow settings app to set SELinux booleans
+selinux_setbool(system_app)
+}
+
 #
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.

te_macros

@@ -208,3 +208,21 @@ define(`selinux_getenforce', `
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 ')
+
+#####################################
+# selinux_setenforce(domain)
+# Allow domain to set SELinux to enforcing.
+define(`selinux_setenforce', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setenforce;
+')
+
+#####################################
+# selinux_setbool(domain)
+# Allow domain to set SELinux booleans.
+define(`selinux_setbool', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setbool;
+')