Zdenek,
This is what I get from my fedora 37 (VMbox):
[henryzhang@fedora ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ getenforce
Enforcing
[henryzhang@fedora ~]$ setenforce 0
setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different
from yours:
root@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
root@ctx0700:~# semanage boolean -l | grep secure_mode
secure_mode (off , off) Allow secure to mode
secure_mode_insmod (off , off) Allow secure to mode insmod
secure_mode_policyload (off , off) Allow secure to mode
policyload
root@ctx0700:~# setsebool secure_mode_policyload on
root@ctx0700:~# setsebool secure_mode_policyload off
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive
----henry
On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62(a)gmail.com>
wrote:
> Zdenek,
>
> Thanks for the information.
> Is it possible for me to convert those actions into SELinux policy so
> that I do not have to do the above operation for all machines with SELinux
> enabled?
>
> ---henry
>
> On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela(a)redhat.com> wrote:
>
>> Henry,
>>
>> Enable the boolean as Simon suggested using setsebool. This is also a
>> list of other related booleans:
>>
>> f37# semanage boolean -l | grep secure_mode
>> secure_mode (off , off) disallow programs, such
>> as newrole, from transitionin
>> g to administrative user domains.
>> secure_mode_insmod (off , off) Disable kernel module
>> loading.
>> secure_mode_policyload (off , off) Boolean to determine
>> whether the system permits loadi
>> ng policy, setting enforcing mode, and changing boolean values. Set
>> this to true and you have to r
>> eboot to set it back.
>> f37# setsebool secure_mode_policyload on
>> f37# setsebool secure_mode_policyload off
>> Could not change active booleans: Permission denied
>> f37# setenforce 0
>> setenforce: setenforce() failed
>>
>> With the -P switch, the change will be permanent, so remember to check
>> you have some recovery access to the system before you do it (rescue mode,
>> booting with selinupermissive/disabled etc.)
>>
>>
>> On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62(a)gmail.com>
>> wrote:
>>
>>> Simon,
>>>
>>> Would you please tell me how to make it happen?
>>>
>>> ---henry
>>>
>>> On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde(a)redhat.com>
>>> wrote:
>>>
>>>> Henry,
>>>>
>>>> With SELinux you can confine the root user and enable
>>>> the secure_mode_policyload boolean.
>>>>
>>>> Kind Regards,
>>>>
>>>> On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <
>>>> michaelradecker(a)gmail.com> wrote:
>>>>
>>>>> Henry,
>>>>>
>>>>> The setenforce command switches SELinux temporarily. To make it
>>>>> persist, change the /etc/selinux/config file and reboot.
>>>>>
>>>>>
>>>>> -Mike
>>>>>
>>>>> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang
<henryzhang62(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Mike,
>>>>>>
>>>>>> setenforce can change mode. See:
>>>>>>
>>>>>> root@ctx0700:~# cat /etc/selinux/config
>>>>>> # This file controls the state of SELinux on the system.
>>>>>> # SELINUX= can take one of these three values:
>>>>>> # enforcing - SELinux security policy is enforced.
>>>>>> # permissive - SELinux prints warnings instead of enforcing.
>>>>>> # disabled - No SELinux policy is loaded.
>>>>>> SELINUX=enforcing
>>>>>>
>>>>>> root@ctx0700:~# sestatus
>>>>>>
>>>>>>
>>>>>> SELinux status: enabled
>>>>>> SELinuxfs mount: /sys/fs/selinux
>>>>>> SELinux root directory: /etc/selinux
>>>>>> Loaded policy name: mcs
>>>>>> Current mode: enforcing
>>>>>> Mode from config file: enforcing
>>>>>> Policy MLS status: enabled
>>>>>> Policy deny_unknown status: allowed
>>>>>> Memory protection checking: requested (insecure)
>>>>>> Max kernel policy version: 31
>>>>>>
>>>>>> root@ctx0700:~# setenforce 0
>>>>>>
>>>>>>
>>>>>> root@ctx0700:~# getenforce
>>>>>>
>>>>>>
>>>>>> Permissive
>>>>>> root@ctx0700:~# sestatus
>>>>>> SELinux status: enabled
>>>>>> SELinuxfs mount: /sys/fs/selinux
>>>>>> SELinux root directory: /etc/selinux
>>>>>> Loaded policy name: mcs
>>>>>> Current mode: permissive
>>>>>> Mode from config file: enforcing
>>>>>> Policy MLS status: enabled
>>>>>> Policy deny_unknown status: allowed
>>>>>> Memory protection checking: requested (insecure)
>>>>>> Max kernel policy version: 31
>>>>>>
>>>>>> -----henry
>>>>>>
>>>>>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>>>>>> michaelradecker(a)gmail.com> wrote:
>>>>>>
>>>>>>> Henry,
>>>>>>>
>>>>>>> You can edit /etc/selinux/config to state SELINUX=enforcing
>>>>>>>
>>>>>>> When you reboot, your system will be enforcing SELinux
policies and
>>>>>>> it will persist. I'm also including a link to Red Hat
documentation
>>>>>>> regarding this topic.
>>>>>>>
>>>>>>>
>>>>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>>>>>
>>>>>>> -Mike
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang
<henryzhang62(a)gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi folks,
>>>>>>>>
>>>>>>>> setenforce allows users to swap selinux mode between
enforcing and
>>>>>>>> permissive.
>>>>>>>> If I want my selinux to stay in enforcing mode forever so
that
>>>>>>>> nobody is able to interfere with my selinux.
>>>>>>>>
>>>>>>>> What should I do?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> ---henry
>>>>>>>> _______________________________________________
>>>>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>>>>> To unsubscribe send an email to
>>>>>>>> selinux-leave(a)lists.fedoraproject.org
>>>>>>>> Fedora Code of Conduct:
>>>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>>> List Guidelines:
>>>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>>> List Archives:
>>>>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>>>>> Do not reply to spam, report it:
>>>>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>>>>
>>>>>>> _______________________________________________
>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>> To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
>>>>> Fedora Code of Conduct:
>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>> Do not reply to spam, report it:
>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Simon Sekidde
>>>>
>>> _______________________________________________
>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>>
>>
>> --
>>
>> Zdenek Pytela
>> Security SELinux team
>>
>