Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list
of other related booleans:
f37# semanage boolean -l | grep secure_mode
secure_mode (off , off) disallow programs, such as
newrole, from transitionin
g to administrative user domains.
secure_mode_insmod (off , off) Disable kernel module
loading.
secure_mode_policyload (off , off) Boolean to determine whether
the system permits loadi
ng policy, setting enforcing mode, and changing boolean values. Set this
to true and you have to r
eboot to set it back.
f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission denied
f37# setenforce 0
setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you
have some recovery access to the system before you do it (rescue mode,
booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde(a)redhat.com> wrote:
> Henry,
>
> With SELinux you can confine the root user and enable
> the secure_mode_policyload boolean.
>
> Kind Regards,
>
> On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <
> michaelradecker(a)gmail.com> wrote:
>
>> Henry,
>>
>> The setenforce command switches SELinux temporarily. To make it
>> persist, change the /etc/selinux/config file and reboot.
>>
>>
>> -Mike
>>
>> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62(a)gmail.com>
>> wrote:
>>
>>> Mike,
>>>
>>> setenforce can change mode. See:
>>>
>>> root@ctx0700:~# cat /etc/selinux/config
>>> # This file controls the state of SELinux on the system.
>>> # SELINUX= can take one of these three values:
>>> # enforcing - SELinux security policy is enforced.
>>> # permissive - SELinux prints warnings instead of enforcing.
>>> # disabled - No SELinux policy is loaded.
>>> SELINUX=enforcing
>>>
>>> root@ctx0700:~# sestatus
>>>
>>>
>>> SELinux status: enabled
>>> SELinuxfs mount: /sys/fs/selinux
>>> SELinux root directory: /etc/selinux
>>> Loaded policy name: mcs
>>> Current mode: enforcing
>>> Mode from config file: enforcing
>>> Policy MLS status: enabled
>>> Policy deny_unknown status: allowed
>>> Memory protection checking: requested (insecure)
>>> Max kernel policy version: 31
>>>
>>> root@ctx0700:~# setenforce 0
>>>
>>>
>>> root@ctx0700:~# getenforce
>>>
>>>
>>> Permissive
>>> root@ctx0700:~# sestatus
>>> SELinux status: enabled
>>> SELinuxfs mount: /sys/fs/selinux
>>> SELinux root directory: /etc/selinux
>>> Loaded policy name: mcs
>>> Current mode: permissive
>>> Mode from config file: enforcing
>>> Policy MLS status: enabled
>>> Policy deny_unknown status: allowed
>>> Memory protection checking: requested (insecure)
>>> Max kernel policy version: 31
>>>
>>> -----henry
>>>
>>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>>> michaelradecker(a)gmail.com> wrote:
>>>
>>>> Henry,
>>>>
>>>> You can edit /etc/selinux/config to state SELINUX=enforcing
>>>>
>>>> When you reboot, your system will be enforcing SELinux policies and it
>>>> will persist. I'm also including a link to Red Hat documentation
regarding
>>>> this topic.
>>>>
>>>>
>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>>
>>>> -Mike
>>>>
>>>>
>>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang
<henryzhang62(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hi folks,
>>>>>
>>>>> setenforce allows users to swap selinux mode between enforcing and
>>>>> permissive.
>>>>> If I want my selinux to stay in enforcing mode forever so that
nobody
>>>>> is able to interfere with my selinux.
>>>>>
>>>>> What should I do?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> ---henry
>>>>> _______________________________________________
>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>> To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
>>>>> Fedora Code of Conduct:
>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>> Do not reply to spam, report it:
>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>
>>>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
>
>
> --
>
> Simon Sekidde
>
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue