Allow Settings to set enforcing and booleans if settings_manage_selinux is true.
diff --git a/system.te b/system.te
index cba07e3..ef0d12e 100644
--- a/system.te
+++ b/system.te
@@ -24,6 +24,15 @@
# Read SELinux enforcing status.
selinux_getenforce(system_app)
+bool settings_manage_selinux true;
+if (settings_manage_selinux) {
+# Allow settings app to set SELinux to enforcing
+selinux_setenforce(system_app)
+
+# Allow settings app to set SELinux booleans
+selinux_setbool(system_app)
+}
+
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
diff --git a/te_macros b/te_macros
index 4afc777..75f294c 100644
--- a/te_macros
+++ b/te_macros
@@ -208,3 +208,21 @@
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
')
+
+#####################################
+# selinux_setenforce(domain)
+# Allow domain to set SELinux to enforcing.
+define(`selinux_setenforce', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setenforce;
+')
+
+#####################################
+# selinux_setbool(domain)
+# Allow domain to set SELinux booleans.
+define(`selinux_setbool', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setbool;
+')