tough neverallow
by Henry Zhang
Hi folks,
I meet a tough neverallow problem:
(neverallow base_typeattr_8 self (capability (sys_module)))
| <root>
| allow at
/mnt/disk2/henryzhang/sec-4715/connectivity-bsp/build-ctx0700-updater/tmp/work/ctx0700-fsl-linux/refpolicy-mcs/2.20190201-r0/image/var/lib/selinux/mcs/tmp/modules/100/ota_client/cil:678
| (allow ota_client_t self (capability (net_raw sys_module sys_resource
mknod)))
The SELinux interface does not contain ota_client_t but file
usr/share/selinux/devel/include/system/unconfined.if: allow $1
self:capability ~{ sys_module };
I do not know how to make following worked
allow ota_client_t self (capability (net_raw sys_module sys_resource mknod))
Please advise.
Thanks.
----henry
9 months, 1 week
user configuration
by Henry Zhang
Hi,
I want to understand content of seuser configuration as:
root:root:s0-s0:c0.c1023
__default__:user_u:s0-s0
I do not know why it looks like that.
----henry
9 months, 1 week
neverallowed
by Henry Zhang
Hi,
How should I handle neverallowed?
1. make it worked bypass it?
2. make some change on the rule to avoid hit neverallowed?
Thanks
---henry
9 months, 2 weeks
label
by Henry Zhang
Hi,
I want to do custom SELinux with policies.
The first challenge I am facing is to check if the label is correct or not
instead of using audit2allow first.
How do I know if labeling is correct in a denied message from
/var/log/audit.log?
Thanks.
---henry
9 months, 3 weeks
get rid of setenforce
by Henry Zhang
Hi folks,
setenforce allows users to swap selinux mode between enforcing and
permissive.
If I want my selinux to stay in enforcing mode forever so that nobody is
able to interfere with my selinux.
What should I do?
Thanks.
---henry
9 months, 3 weeks
Re: get rid of setenforce
by donniet@tds.net
The "setenforce" utility require root privileges to run. If you don't want people to mess with your SELinux configuration, don't give them the privileges to do it. First, don't give anyone the password for the root user. Secondly, instead of granting full sudo privileges to your users, just grant them whatever sudo privileges they need to perform their jobs, and nothing else.
----- Original Message -----
From: "selinux-request" <selinux-request(a)lists.fedoraproject.org>
To: selinux(a)lists.fedoraproject.org
Sent: Thursday, February 9, 2023 4:32:56 PM
Subject: selinux Digest, Vol 221, Issue 1
Send selinux mailing list submissions to
selinux(a)lists.fedoraproject.org
To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
selinux-request(a)lists.fedoraproject.org
You can reach the person managing the list at
selinux-owner(a)lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."
Today's Topics:
1. Re: get rid of setenforce (Simon Sekidde)
2. Re: get rid of setenforce (Henry Zhang)
----------------------------------------------------------------------
Date: Thu, 9 Feb 2023 16:29:15 -0500
From: Simon Sekidde <ssekidde(a)redhat.com>
Subject: Re: get rid of setenforce
To: Michael Radecker <michaelradecker(a)gmail.com>
Cc: Henry Zhang <henryzhang62(a)gmail.com>,
selinux(a)lists.fedoraproject.org
Message-ID:
<CAE6848kaW7S2-ZKbcy7yn_7oLJXwZOvhx=qfhS7y6LD=QErRXg(a)mail.gmail.com>
Content-Type: multipart/alternative;
boundary="0000000000004ae6f905f44b1354"
--0000000000004ae6f905f44b1354
Content-Type: text/plain; charset="UTF-8"
Henry,
With SELinux you can confine the root user and enable
the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker(a)gmail.com>
wrote:
> Henry,
>
> The setenforce command switches SELinux temporarily. To make it persist,
> change the /etc/selinux/config file and reboot.
>
>
> -Mike
>
> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
>
>> Mike,
>>
>> setenforce can change mode. See:
>>
>> root@ctx0700:~# cat /etc/selinux/config
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enforcing
>>
>> root@ctx0700:~# sestatus
>>
>>
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>>
>> root@ctx0700:~# setenforce 0
>>
>>
>> root@ctx0700:~# getenforce
>>
>>
>> Permissive
>> root@ctx0700:~# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: permissive
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>>
>> -----henry
>>
>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>> michaelradecker(a)gmail.com> wrote:
>>
>>> Henry,
>>>
>>> You can edit /etc/selinux/config to state SELINUX=enforcing
>>>
>>> When you reboot, your system will be enforcing SELinux policies and it
>>> will persist. I'm also including a link to Red Hat documentation regarding
>>> this topic.
>>>
>>>
>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>
>>> -Mike
>>>
>>>
>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62(a)gmail.com>
>>> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> setenforce allows users to swap selinux mode between enforcing and
>>>> permissive.
>>>> If I want my selinux to stay in enforcing mode forever so that nobody
>>>> is able to interfere with my selinux.
>>>>
>>>> What should I do?
>>>>
>>>> Thanks.
>>>>
>>>> ---henry
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>> Do not reply to spam, report it:
>>>> https://pagure.io/fedora-infrastructure/new_issue
>>>>
>>> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
Simon Sekidde
--0000000000004ae6f905f44b1354
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon=
t-family:arial,sans-serif">Henry,=C2=A0</div><div class=3D"gmail_default" s=
tyle=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail_default=
" style=3D"font-family:arial,sans-serif">With SELinux you can confine the r=
oot user and enable the=C2=A0secure_mode_policyload boolean.=C2=A0</div><di=
v class=3D"gmail_default" style=3D"font-family:arial,sans-serif"><br></div>=
<div class=3D"gmail_default" style=3D"font-family:arial,sans-serif">Kind Re=
gards,=C2=A0</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" cla=
ss=3D"gmail_attr">On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <<a hr=
ef=3D"mailto:michaelradecker@gmail.com">michaelradecker(a)gmail.com</a>> w=
rote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb=
(204,204,204);padding-left:1ex"><div dir=3D"auto">Henry,=C2=A0<div dir=3D"a=
uto"><br></div><div dir=3D"auto">The setenforce command switches SELinux te=
mporarily.=C2=A0 To make it persist, change the /etc/selinux/config file an=
d reboot.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div=
dir=3D"auto">-Mike</div></div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <<a h=
ref=3D"mailto:henryzhang62@gmail.com" target=3D"_blank">henryzhang62(a)gmail.=
com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-l=
eft-color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Mike,<div><br=
></div><div>setenforce can change mode. See:<br><br></div><div>root@ctx0700=
:~# cat /etc/selinux/config <br># This file controls the state of SELinux o=
n the system.<br># SELINUX=3D can take one of these three values:<br># =C2=
=A0 =C2=A0 enforcing - SELinux security policy is enforced.<br># =C2=A0 =C2=
=A0 permissive - SELinux prints warnings instead of enforcing.<br># =C2=A0 =
=C2=A0 disabled - No SELinux policy is loaded.<br>SELINUX=3Denforcing<br><b=
r></div><div>root@ctx0700:~# sestatus =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0<br>SELinux status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxfs mount: =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/selinux<br>SELinux root directory: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br>Loaded policy name: =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Current mode: =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enforcing<br>Mode from config fil=
e: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcing<br>Policy MLS status: =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>Policy deny_unknown st=
atus: =C2=A0 =C2=A0 allowed<br>Memory protection checking: =C2=A0 =C2=A0 re=
quested (insecure)<br>Max kernel policy version: =C2=A0 =C2=A0 =C2=A031<br>=
<br>root@ctx0700:~# setenforce 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<b=
r>root@ctx0700:~# getenforce =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0<br>Permissive<br>root@ctx0700:~# sestatus<br>SELinux status: =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxfs mount: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/selinux<br>S=
ELinux root directory: =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br>Loaded p=
olicy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Current mode: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 permissive<b=
r>Mode from config file: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcing<br>Pol=
icy MLS status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>=
Policy deny_unknown status: =C2=A0 =C2=A0 allowed<br>Memory protection chec=
king: =C2=A0 =C2=A0 requested (insecure)<br>Max kernel policy version: =C2=
=A0 =C2=A0 =C2=A031<br></div><div><br></div><div>-----henry</div></div><br>=
<div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Fe=
b 9, 2023 at 12:11 PM Michael Radecker <<a href=3D"mailto:michaelradecke=
r(a)gmail.com" rel=3D"noreferrer" target=3D"_blank">michaelradecker(a)gmail.com=
</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left=
-color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"=
>Henry,<div dir=3D"auto"><br></div><div dir=3D"auto">You can edit /etc/seli=
nux/config to state SELINUX=3Denforcing</div><div dir=3D"auto"><br></div><d=
iv dir=3D"auto">When you reboot, your system will be enforcing SELinux poli=
cies and it will persist.=C2=A0 I'm also including=C2=A0a link to Red H=
at documentation regarding this topic.</div></div><div dir=3D"ltr"><br></di=
v><div dir=3D"ltr"><a href=3D"https://access.redhat.com/documentation/en-us=
/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-=
modes_using-selinux" rel=3D"noreferrer" target=3D"_blank">https://access.re=
dhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/=
changing-selinux-states-and-modes_using-selinux</a><br></div><div dir=3D"lt=
r"><br></div>-Mike<div><br></div><div><br><div class=3D"gmail_quote"><div d=
ir=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang=
<<a href=3D"mailto:henryzhang62@gmail.com" rel=3D"noreferrer" target=3D=
"_blank">henryzhang62(a)gmail.com</a>> wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;bo=
rder-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">=
<div dir=3D"ltr">Hi folks,<div><br></div><div>setenforce allows users to sw=
ap selinux mode between enforcing and permissive.=C2=A0<br>If I want my sel=
inux to stay in enforcing mode forever so that nobody is able to interfere =
with my selinux.</div><div><br></div><div>What should I do?</div><div><br><=
/div><div>Thanks.</div><div><br></div><div>---henry</div></div>
_______________________________________________<br>
selinux mailing list -- <a href=3D"mailto:selinux@lists.fedoraproject.org" =
rel=3D"noreferrer" target=3D"_blank">selinux(a)lists.fedoraproject.org</a><br=
>
To unsubscribe send an email to <a href=3D"mailto:selinux-leave@lists.fedor=
aproject.org" rel=3D"noreferrer" target=3D"_blank">selinux-leave(a)lists.fedo=
raproject.org</a><br>
Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer noreferrer" target=3D"_blank">http=
s://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer noreferrer" target=3D"_blank">https://fedoraproj=
ect.org/wiki/Mailing_list_guidelines</a><br>
List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/sel=
inux(a)lists.fedoraproject.org" rel=3D"noreferrer noreferrer" target=3D"_blan=
k">https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec=
t.org</a><br>
Do not reply to spam, report it: <a href=3D"https://pagure.io/fedora-infras=
tructure/new_issue" rel=3D"noreferrer noreferrer" target=3D"_blank">https:/=
/pagure.io/fedora-infrastructure/new_issue</a><br>
</blockquote></div></div></div>
</blockquote></div>
</blockquote></div>
_______________________________________________<br>
selinux mailing list -- <a href=3D"mailto:selinux@lists.fedoraproject.org" =
target=3D"_blank">selinux(a)lists.fedoraproject.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:selinux-leave@lists.fedor=
aproject.org" target=3D"_blank">selinux-leave(a)lists.fedoraproject.org</a><b=
r>
Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer" target=3D"_blank">https://docs.fe=
doraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer" target=3D"_blank">https://fedoraproject.org/wik=
i/Mailing_list_guidelines</a><br>
List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/sel=
inux(a)lists.fedoraproject.org" rel=3D"noreferrer" target=3D"_blank">https://=
lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org</a><b=
r>
Do not reply to spam, report it: <a href=3D"https://pagure.io/fedora-infras=
tructure/new_issue" rel=3D"noreferrer" target=3D"_blank">https://pagure.io/=
fedora-infrastructure/new_issue</a><br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
class=3D"gmail_signature"><div dir=3D"ltr"><p style=3D"margin:0px;font-str=
etch:normal;font-size:13px;line-height:normal;font-family:"Helvetica N=
eue"">Simon Sekidde</p></div></div></div>
--0000000000004ae6f905f44b1354--
------------------------------
Date: Thu, 9 Feb 2023 13:32:16 -0800
From: Henry Zhang <henryzhang62(a)gmail.com>
Subject: Re: get rid of setenforce
To: Michael Radecker <michaelradecker(a)gmail.com>
Cc: selinux(a)lists.fedoraproject.org
Message-ID:
<CANTW0yr8w5fb_VnU=JHp44Pi=sJrd=2HH2Umfr1D1y9cuiFqYQ(a)mail.gmail.com>
Content-Type: multipart/alternative;
boundary="00000000000009fd5905f44b1e44"
--00000000000009fd5905f44b1e44
Content-Type: text/plain; charset="UTF-8"
Mike,
If SELinux mode can be set to permissive temporarily so that people can
control the device.
any way to prevent that?
---henry
On Thu, Feb 9, 2023 at 1:09 PM Michael Radecker <michaelradecker(a)gmail.com>
wrote:
> Henry,
>
> The setenforce command switches SELinux temporarily. To make it persist,
> change the /etc/selinux/config file and reboot.
>
>
> -Mike
>
> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
>
>> Mike,
>>
>> setenforce can change mode. See:
>>
>> root@ctx0700:~# cat /etc/selinux/config
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enforcing
>>
>> root@ctx0700:~# sestatus
>>
>>
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>>
>> root@ctx0700:~# setenforce 0
>>
>>
>> root@ctx0700:~# getenforce
>>
>>
>> Permissive
>> root@ctx0700:~# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: permissive
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>>
>> -----henry
>>
>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>> michaelradecker(a)gmail.com> wrote:
>>
>>> Henry,
>>>
>>> You can edit /etc/selinux/config to state SELINUX=enforcing
>>>
>>> When you reboot, your system will be enforcing SELinux policies and it
>>> will persist. I'm also including a link to Red Hat documentation regarding
>>> this topic.
>>>
>>>
>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>
>>> -Mike
>>>
>>>
>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62(a)gmail.com>
>>> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> setenforce allows users to swap selinux mode between enforcing and
>>>> permissive.
>>>> If I want my selinux to stay in enforcing mode forever so that nobody
>>>> is able to interfere with my selinux.
>>>>
>>>> What should I do?
>>>>
>>>> Thanks.
>>>>
>>>> ---henry
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>> Do not reply to spam, report it:
>>>> https://pagure.io/fedora-infrastructure/new_issue
>>>>
>>>
--00000000000009fd5905f44b1e44
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Mike,<div><br></div><div>If SELinux mode can be set to per=
missive temporarily so that people can control the device.</div><div>any wa=
y to prevent that?</div><div><br></div><div>---henry=C2=A0</div></div><br><=
div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Feb=
9, 2023 at 1:09 PM Michael Radecker <<a href=3D"mailto:michaelradecker@=
gmail.com">michaelradecker(a)gmail.com</a>> wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
rgb(204,204,204);padding-left:1ex"><div dir=3D"auto">Henry,=C2=A0<div dir=
=3D"auto"><br></div><div dir=3D"auto">The setenforce command switches SELin=
ux temporarily.=C2=A0 To make it persist, change the /etc/selinux/config fi=
le and reboot.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div=
><div dir=3D"auto">-Mike</div></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <=
;<a href=3D"mailto:henryzhang62@gmail.com" target=3D"_blank">henryzhang62@g=
mail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div dir=3D"ltr">Mike,<div><br></div><div>setenforce can change mod=
e. See:<br><br></div><div>root@ctx0700:~# cat /etc/selinux/config <br># Thi=
s file controls the state of SELinux on the system.<br># SELINUX=3D can tak=
e one of these three values:<br># =C2=A0 =C2=A0 enforcing - SELinux securit=
y policy is enforced.<br># =C2=A0 =C2=A0 permissive - SELinux prints warnin=
gs instead of enforcing.<br># =C2=A0 =C2=A0 disabled - No SELinux policy is=
loaded.<br>SELINUX=3Denforcing<br><br></div><div>root@ctx0700:~# sestatus =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>SELinux status: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxf=
s mount: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/sel=
inux<br>SELinux root directory: =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br=
>Loaded policy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Curre=
nt mode: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enf=
orcing<br>Mode from config file: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcin=
g<br>Policy MLS status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ena=
bled<br>Policy deny_unknown status: =C2=A0 =C2=A0 allowed<br>Memory protect=
ion checking: =C2=A0 =C2=A0 requested (insecure)<br>Max kernel policy versi=
on: =C2=A0 =C2=A0 =C2=A031<br><br>root@ctx0700:~# setenforce 0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>root@ctx0700:~# getenforce =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>Permissive<br>root@ctx0700:~# sestatu=
s<br>SELinux status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 enabled<br>SELinuxfs mount: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0/sys/fs/selinux<br>SELinux root directory: =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 /etc/selinux<br>Loaded policy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 mcs<br>Current mode: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 permissive<br>Mode from config file: =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0enforcing<br>Policy MLS status: =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>Policy deny_unknown status: =C2=A0 =
=C2=A0 allowed<br>Memory protection checking: =C2=A0 =C2=A0 requested (inse=
cure)<br>Max kernel policy version: =C2=A0 =C2=A0 =C2=A031<br></div><div><b=
r></div><div>-----henry</div></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 12:11 PM Michael Radec=
ker <<a href=3D"mailto:michaelradecker@gmail.com" rel=3D"noreferrer" tar=
get=3D"_blank">michaelradecker(a)gmail.com</a>> wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">H=
enry,<div dir=3D"auto"><br></div><div dir=3D"auto">You can edit /etc/selinu=
x/config to state SELINUX=3Denforcing</div><div dir=3D"auto"><br></div><div=
dir=3D"auto">When you reboot, your system will be enforcing SELinux polici=
es and it will persist.=C2=A0 I'm also including=C2=A0a link to Red Hat=
documentation regarding this topic.</div></div><div dir=3D"ltr"><br></div>=
<div dir=3D"ltr"><a href=3D"https://access.redhat.com/documentation/en-us/r=
ed_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-mo=
des_using-selinux" rel=3D"noreferrer" target=3D"_blank">https://access.redh=
at.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/ch=
anging-selinux-states-and-modes_using-selinux</a><br></div><div dir=3D"ltr"=
><br></div>-Mike<div><br></div><div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang &=
lt;<a href=3D"mailto:henryzhang62@gmail.com" rel=3D"noreferrer" target=3D"_=
blank">henryzhang62(a)gmail.com</a>> wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"ltr">Hi folks,<div><br></div><div>=
setenforce allows users to swap selinux mode between enforcing and permissi=
ve.=C2=A0<br>If I want my selinux to stay in enforcing mode forever so that=
nobody is able to interfere with my selinux.</div><div><br></div><div>What=
should I do?</div><div><br></div><div>Thanks.</div><div><br></div><div>---=
henry</div></div>
_______________________________________________<br>
selinux mailing list -- <a href=3D"mailto:selinux@lists.fedoraproject.org" =
rel=3D"noreferrer" target=3D"_blank">selinux(a)lists.fedoraproject.org</a><br=
>
To unsubscribe send an email to <a href=3D"mailto:selinux-leave@lists.fedor=
aproject.org" rel=3D"noreferrer" target=3D"_blank">selinux-leave(a)lists.fedo=
raproject.org</a><br>
Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer noreferrer" target=3D"_blank">http=
s://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer noreferrer" target=3D"_blank">https://fedoraproj=
ect.org/wiki/Mailing_list_guidelines</a><br>
List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/sel=
inux(a)lists.fedoraproject.org" rel=3D"noreferrer noreferrer" target=3D"_blan=
k">https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec=
t.org</a><br>
Do not reply to spam, report it: <a href=3D"https://pagure.io/fedora-infras=
tructure/new_issue" rel=3D"noreferrer noreferrer" target=3D"_blank">https:/=
/pagure.io/fedora-infrastructure/new_issue</a><br>
</blockquote></div></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
--00000000000009fd5905f44b1e44--
------------------------------
Subject: Digest Footer
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
------------------------------
End of selinux Digest, Vol 221, Issue 1
***************************************
9 months, 3 weeks