Blocking change to permissive
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 22 18:33:51 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2012 12:34 PM, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a
> setting in system-config-selinux) that would block root from using
> setenforce to change from enforcing to permissive mode.
>
> I can't seem to find it now on F17. I haven't figured out the
> correct combo to find this via google.
>
> I tested the secure_mode boolean, but that didn't appear to work.
> Nothing else in the list looked like it would block changing to
> permisive mode.
>
> Is this setting gone now? If not can someone point me to what it is
> or documentation about it?
>
> Thanks. -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
You need to turn off unconfined_t user to make this work, especially
as root, and then use sysadm_t.
# semanage boolean -l | grep secure
secure_mode (off , off) disallow programs, such
as newrole, from transitioning to administrative user domains.
secure_mode_policyload (off , off) prevent all confined
domains from loading policy, setting enforcing mode, and changing
boolean values. Set this to true and you have to reboot to set it back
secure_mode_insmod (off , off) disallow programs and
users from transitioning to insmod domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9FNQ8ACgkQrlYvE4MpobPM0gCfe+L1uMnUc5J93H+uA8fd3LFQ
ttkAoOAyCPvArDqX0+L2GYqsyAN36XqK
=KTaX
-----END PGP SIGNATURE-----
More information about the selinux
mailing list