Hello,

Setting secure_mode_policyload works as expected and I can reproduce what I posted last time. If you can see different behaviour, it probably means some other changes were made on your system which have this effect.
For changes on multiple systems, you can use e. g.  semanage export/import or linux-system-roles.


On Sat, Feb 11, 2023 at 2:01 AM Henry Zhang <henryzhang62@gmail.com> wrote:
Sorry, I should use sudo su. But I still can make change in Fedora:
[root@fedora lib]# setsebool secure_mode_policyload on
[root@fedora lib]# setsebool secure_mode_policyload off
[root@fedora lib]# setenforce 0
[root@fedora lib]#

On Fri, Feb 10, 2023 at 4:17 PM Henry Zhang <henryzhang62@gmail.com> wrote:
Zdenek,

This is what I get from my fedora 37 (VMbox):
[henryzhang@fedora ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ getenforce
Enforcing
[henryzhang@fedora ~]$ setenforce 0
setenforce:  security_setenforce() failed:  Permission denied

Looks like Fedora already enforced it.

What is wrong with my own SELinux?

---Henry

On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62@gmail.com> wrote:
Zdenek,

I have my own machine with SELInux enabled. But SELinux info is different from yours:
root@ctx0700:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31
root@ctx0700:~# semanage boolean -l | grep secure_mode
secure_mode                    (off  ,  off)  Allow secure to mode
secure_mode_insmod             (off  ,  off)  Allow secure to mode insmod
secure_mode_policyload         (off  ,  off)  Allow secure to mode policyload
root@ctx0700:~# setsebool secure_mode_policyload on
root@ctx0700:~# setsebool secure_mode_policyload off
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive


----henry

On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62@gmail.com> wrote:
Zdenek,

Thanks for the information.
Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?

---henry

On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela@redhat.com> wrote:
Henry,

Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:

f37# semanage boolean -l | grep secure_mode
secure_mode                    (off  ,  off)  disallow programs, such as newrole, from transitionin
g to administrative user domains.
secure_mode_insmod             (off  ,  off)  Disable kernel module loading.
secure_mode_policyload         (off  ,  off)  Boolean to determine whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values.  Set this to true and you have to r
eboot to set it back.
f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission denied
f37# setenforce 0
setenforce:  setenforce() failed

With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)


On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62@gmail.com> wrote:
Simon,

Would you please tell me how to make it happen?

---henry

On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde@redhat.com> wrote:
Henry, 

With SELinux you can confine the root user and enable the secure_mode_policyload boolean. 

Kind Regards, 

On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker@gmail.com> wrote:
Henry, 

The setenforce command switches SELinux temporarily.  To make it persist, change the /etc/selinux/config file and reboot.


-Mike

On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@gmail.com> wrote:
Mike,

setenforce can change mode. See:

root@ctx0700:~# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing

root@ctx0700:~# sestatus                                                                                                                                              
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31

root@ctx0700:~# setenforce 0                                                                                                                                          
root@ctx0700:~# getenforce                                                                                                                                            
Permissive
root@ctx0700:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31

-----henry

On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <michaelradecker@gmail.com> wrote:
Henry,

You can edit /etc/selinux/config to state SELINUX=enforcing

When you reboot, your system will be enforcing SELinux policies and it will persist.  I'm also including a link to Red Hat documentation regarding this topic.


-Mike


On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@gmail.com> wrote:
Hi folks,

setenforce allows users to swap selinux mode between enforcing and permissive. 
If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.

What should I do?

Thanks.

---henry
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Simon Sekidde

_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Zdenek Pytela
Security SELinux team


--

Zdenek Pytela
Security SELinux team