Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde(a)redhat.com> wrote:
Henry,
With SELinux you can confine the root user and enable
the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker(a)gmail.com>
wrote:
> Henry,
>
> The setenforce command switches SELinux temporarily. To make it persist,
> change the /etc/selinux/config file and reboot.
>
>
> -Mike
>
> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
>
>> Mike,
>>
>> setenforce can change mode. See:
>>
>> root@ctx0700:~# cat /etc/selinux/config
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enforcing
>>
>> root@ctx0700:~# sestatus
>>
>>
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>>
>> root@ctx0700:~# setenforce 0
>>
>>
>> root@ctx0700:~# getenforce
>>
>>
>> Permissive
>> root@ctx0700:~# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: permissive
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>>
>> -----henry
>>
>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>> michaelradecker(a)gmail.com> wrote:
>>
>>> Henry,
>>>
>>> You can edit /etc/selinux/config to state SELINUX=enforcing
>>>
>>> When you reboot, your system will be enforcing SELinux policies and it
>>> will persist. I'm also including a link to Red Hat documentation
regarding
>>> this topic.
>>>
>>>
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>
>>> -Mike
>>>
>>>
>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62(a)gmail.com>
>>> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> setenforce allows users to swap selinux mode between enforcing and
>>>> permissive.
>>>> If I want my selinux to stay in enforcing mode forever so that nobody
>>>> is able to interfere with my selinux.
>>>>
>>>> What should I do?
>>>>
>>>> Thanks.
>>>>
>>>> ---henry
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>>> Fedora Code of Conduct:
>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>> Do not reply to spam, report it:
>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>
>>> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>
--
Simon Sekidde