Hello,
Setting secure_mode_policyload works as expected and I can reproduce what I
posted last time. If you can see different behaviour, it probably means
some other changes were made on your system which have this effect.
For changes on multiple systems, you can use e. g. semanage export/import
or linux-system-roles.
On Sat, Feb 11, 2023 at 2:01 AM Henry Zhang <henryzhang62(a)gmail.com> wrote:
Sorry, I should use sudo su. But I still can make change in Fedora:
[root@fedora lib]# setsebool secure_mode_policyload on
[root@fedora lib]# setsebool secure_mode_policyload off
[root@fedora lib]# setenforce 0
[root@fedora lib]#
On Fri, Feb 10, 2023 at 4:17 PM Henry Zhang <henryzhang62(a)gmail.com>
wrote:
> Zdenek,
>
> This is what I get from my fedora 37 (VMbox):
> [henryzhang@fedora ~]$ sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: actual (secure)
> Max kernel policy version: 33
> [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
> ValueError: SELinux policy is not managed or store cannot be accessed.
> [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
> ValueError: SELinux policy is not managed or store cannot be accessed.
> [henryzhang@fedora ~]$ getenforce
> Enforcing
> [henryzhang@fedora ~]$ setenforce 0
> setenforce: security_setenforce() failed: Permission denied
>
> Looks like Fedora already enforced it.
>
> What is wrong with my own SELinux?
>
> ---Henry
>
> On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62(a)gmail.com>
> wrote:
>
>> Zdenek,
>>
>> I have my own machine with SELInux enabled. But SELinux info is
>> different from yours:
>> root@ctx0700:~# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>> root@ctx0700:~# semanage boolean -l | grep secure_mode
>> secure_mode (off , off) Allow secure to mode
>> secure_mode_insmod (off , off) Allow secure to mode insmod
>> secure_mode_policyload (off , off) Allow secure to mode
>> policyload
>> root@ctx0700:~# setsebool secure_mode_policyload on
>> root@ctx0700:~# setsebool secure_mode_policyload off
>> root@ctx0700:~# setenforce 0
>> root@ctx0700:~# getenforce
>> Permissive
>>
>>
>> ----henry
>>
>> On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62(a)gmail.com>
>> wrote:
>>
>>> Zdenek,
>>>
>>> Thanks for the information.
>>> Is it possible for me to convert those actions into SELinux policy so
>>> that I do not have to do the above operation for all machines with SELinux
>>> enabled?
>>>
>>> ---henry
>>>
>>> On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela(a)redhat.com>
>>> wrote:
>>>
>>>> Henry,
>>>>
>>>> Enable the boolean as Simon suggested using setsebool. This is also a
>>>> list of other related booleans:
>>>>
>>>> f37# semanage boolean -l | grep secure_mode
>>>> secure_mode (off , off) disallow programs, such
>>>> as newrole, from transitionin
>>>> g to administrative user domains.
>>>> secure_mode_insmod (off , off) Disable kernel module
>>>> loading.
>>>> secure_mode_policyload (off , off) Boolean to determine
>>>> whether the system permits loadi
>>>> ng policy, setting enforcing mode, and changing boolean values. Set
>>>> this to true and you have to r
>>>> eboot to set it back.
>>>> f37# setsebool secure_mode_policyload on
>>>> f37# setsebool secure_mode_policyload off
>>>> Could not change active booleans: Permission denied
>>>> f37# setenforce 0
>>>> setenforce: setenforce() failed
>>>>
>>>> With the -P switch, the change will be permanent, so remember to check
>>>> you have some recovery access to the system before you do it (rescue
mode,
>>>> booting with selinupermissive/disabled etc.)
>>>>
>>>>
>>>> On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang
<henryzhang62(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Simon,
>>>>>
>>>>> Would you please tell me how to make it happen?
>>>>>
>>>>> ---henry
>>>>>
>>>>> On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde
<ssekidde(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Henry,
>>>>>>
>>>>>> With SELinux you can confine the root user and enable
>>>>>> the secure_mode_policyload boolean.
>>>>>>
>>>>>> Kind Regards,
>>>>>>
>>>>>> On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <
>>>>>> michaelradecker(a)gmail.com> wrote:
>>>>>>
>>>>>>> Henry,
>>>>>>>
>>>>>>> The setenforce command switches SELinux temporarily. To make
it
>>>>>>> persist, change the /etc/selinux/config file and reboot.
>>>>>>>
>>>>>>>
>>>>>>> -Mike
>>>>>>>
>>>>>>> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang
<henryzhang62(a)gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Mike,
>>>>>>>>
>>>>>>>> setenforce can change mode. See:
>>>>>>>>
>>>>>>>> root@ctx0700:~# cat /etc/selinux/config
>>>>>>>> # This file controls the state of SELinux on the system.
>>>>>>>> # SELINUX= can take one of these three values:
>>>>>>>> # enforcing - SELinux security policy is enforced.
>>>>>>>> # permissive - SELinux prints warnings instead of
enforcing.
>>>>>>>> # disabled - No SELinux policy is loaded.
>>>>>>>> SELINUX=enforcing
>>>>>>>>
>>>>>>>> root@ctx0700:~# sestatus
>>>>>>>>
>>>>>>>>
>>>>>>>> SELinux status: enabled
>>>>>>>> SELinuxfs mount: /sys/fs/selinux
>>>>>>>> SELinux root directory: /etc/selinux
>>>>>>>> Loaded policy name: mcs
>>>>>>>> Current mode: enforcing
>>>>>>>> Mode from config file: enforcing
>>>>>>>> Policy MLS status: enabled
>>>>>>>> Policy deny_unknown status: allowed
>>>>>>>> Memory protection checking: requested (insecure)
>>>>>>>> Max kernel policy version: 31
>>>>>>>>
>>>>>>>> root@ctx0700:~# setenforce 0
>>>>>>>>
>>>>>>>>
>>>>>>>> root@ctx0700:~# getenforce
>>>>>>>>
>>>>>>>>
>>>>>>>> Permissive
>>>>>>>> root@ctx0700:~# sestatus
>>>>>>>> SELinux status: enabled
>>>>>>>> SELinuxfs mount: /sys/fs/selinux
>>>>>>>> SELinux root directory: /etc/selinux
>>>>>>>> Loaded policy name: mcs
>>>>>>>> Current mode: permissive
>>>>>>>> Mode from config file: enforcing
>>>>>>>> Policy MLS status: enabled
>>>>>>>> Policy deny_unknown status: allowed
>>>>>>>> Memory protection checking: requested (insecure)
>>>>>>>> Max kernel policy version: 31
>>>>>>>>
>>>>>>>> -----henry
>>>>>>>>
>>>>>>>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>>>>>>>> michaelradecker(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Henry,
>>>>>>>>>
>>>>>>>>> You can edit /etc/selinux/config to state
SELINUX=enforcing
>>>>>>>>>
>>>>>>>>> When you reboot, your system will be enforcing
SELinux policies
>>>>>>>>> and it will persist. I'm also including a link
to Red Hat documentation
>>>>>>>>> regarding this topic.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>>>>>>>
>>>>>>>>> -Mike
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <
>>>>>>>>> henryzhang62(a)gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi folks,
>>>>>>>>>>
>>>>>>>>>> setenforce allows users to swap selinux mode
between enforcing
>>>>>>>>>> and permissive.
>>>>>>>>>> If I want my selinux to stay in enforcing mode
forever so that
>>>>>>>>>> nobody is able to interfere with my selinux.
>>>>>>>>>>
>>>>>>>>>> What should I do?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> ---henry
>>>>>>>>>> _______________________________________________
>>>>>>>>>> selinux mailing list --
selinux(a)lists.fedoraproject.org
>>>>>>>>>> To unsubscribe send an email to
>>>>>>>>>> selinux-leave(a)lists.fedoraproject.org
>>>>>>>>>> Fedora Code of Conduct:
>>>>>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>>>>> List Guidelines:
>>>>>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>>>>> List Archives:
>>>>>>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>>>>>>> Do not reply to spam, report it:
>>>>>>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>>>> To unsubscribe send an email to
>>>>>>> selinux-leave(a)lists.fedoraproject.org
>>>>>>> Fedora Code of Conduct:
>>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>> List Guidelines:
>>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>> List Archives:
>>>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>>>> Do not reply to spam, report it:
>>>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Simon Sekidde
>>>>>>
>>>>> _______________________________________________
>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>> To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
>>>>> Fedora Code of Conduct:
>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>> Do not reply to spam, report it:
>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Zdenek Pytela
>>>> Security SELinux team
>>>>
>>>