Zdenek,
Thanks for the information.
Is it possible for me to convert those actions into SELinux policy so that
I do not have to do the above operation for all machines with SELinux
enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela(a)redhat.com> wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list
of other related booleans:
f37# semanage boolean -l | grep secure_mode
secure_mode (off , off) disallow programs, such as
newrole, from transitionin
g to administrative user domains.
secure_mode_insmod (off , off) Disable kernel module
loading.
secure_mode_policyload (off , off) Boolean to determine
whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values. Set this
to true and you have to r
eboot to set it back.
f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission denied
f37# setenforce 0
setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you
have some recovery access to the system before you do it (rescue mode,
booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62(a)gmail.com>
wrote:
> Simon,
>
> Would you please tell me how to make it happen?
>
> ---henry
>
> On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde(a)redhat.com> wrote:
>
>> Henry,
>>
>> With SELinux you can confine the root user and enable
>> the secure_mode_policyload boolean.
>>
>> Kind Regards,
>>
>> On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <
>> michaelradecker(a)gmail.com> wrote:
>>
>>> Henry,
>>>
>>> The setenforce command switches SELinux temporarily. To make it
>>> persist, change the /etc/selinux/config file and reboot.
>>>
>>>
>>> -Mike
>>>
>>> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62(a)gmail.com>
>>> wrote:
>>>
>>>> Mike,
>>>>
>>>> setenforce can change mode. See:
>>>>
>>>> root@ctx0700:~# cat /etc/selinux/config
>>>> # This file controls the state of SELinux on the system.
>>>> # SELINUX= can take one of these three values:
>>>> # enforcing - SELinux security policy is enforced.
>>>> # permissive - SELinux prints warnings instead of enforcing.
>>>> # disabled - No SELinux policy is loaded.
>>>> SELINUX=enforcing
>>>>
>>>> root@ctx0700:~# sestatus
>>>>
>>>>
>>>> SELinux status: enabled
>>>> SELinuxfs mount: /sys/fs/selinux
>>>> SELinux root directory: /etc/selinux
>>>> Loaded policy name: mcs
>>>> Current mode: enforcing
>>>> Mode from config file: enforcing
>>>> Policy MLS status: enabled
>>>> Policy deny_unknown status: allowed
>>>> Memory protection checking: requested (insecure)
>>>> Max kernel policy version: 31
>>>>
>>>> root@ctx0700:~# setenforce 0
>>>>
>>>>
>>>> root@ctx0700:~# getenforce
>>>>
>>>>
>>>> Permissive
>>>> root@ctx0700:~# sestatus
>>>> SELinux status: enabled
>>>> SELinuxfs mount: /sys/fs/selinux
>>>> SELinux root directory: /etc/selinux
>>>> Loaded policy name: mcs
>>>> Current mode: permissive
>>>> Mode from config file: enforcing
>>>> Policy MLS status: enabled
>>>> Policy deny_unknown status: allowed
>>>> Memory protection checking: requested (insecure)
>>>> Max kernel policy version: 31
>>>>
>>>> -----henry
>>>>
>>>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>>>> michaelradecker(a)gmail.com> wrote:
>>>>
>>>>> Henry,
>>>>>
>>>>> You can edit /etc/selinux/config to state SELINUX=enforcing
>>>>>
>>>>> When you reboot, your system will be enforcing SELinux policies and
>>>>> it will persist. I'm also including a link to Red Hat
documentation
>>>>> regarding this topic.
>>>>>
>>>>>
>>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>>>
>>>>> -Mike
>>>>>
>>>>>
>>>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang
<henryzhang62(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi folks,
>>>>>>
>>>>>> setenforce allows users to swap selinux mode between enforcing
and
>>>>>> permissive.
>>>>>> If I want my selinux to stay in enforcing mode forever so that
>>>>>> nobody is able to interfere with my selinux.
>>>>>>
>>>>>> What should I do?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> ---henry
>>>>>> _______________________________________________
>>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>>> To unsubscribe send an email to
>>>>>> selinux-leave(a)lists.fedoraproject.org
>>>>>> Fedora Code of Conduct:
>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>> List Guidelines:
>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>> List Archives:
>>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>>> Do not reply to spam, report it:
>>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>>
>>>>> _______________________________________________
>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>>
>>
>> --
>>
>> Simon Sekidde
>>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>
--
Zdenek Pytela
Security SELinux team