Sorry, I should use sudo su. But I still can make change in Fedora:
[root@fedora lib]# setsebool secure_mode_policyload on
[root@fedora lib]# setsebool secure_mode_policyload off
[root@fedora lib]# setenforce 0
[root@fedora lib]#
On Fri, Feb 10, 2023 at 4:17 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
Zdenek,
This is what I get from my fedora 37 (VMbox):
[henryzhang@fedora ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ getenforce
Enforcing
[henryzhang@fedora ~]$ setenforce 0
setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62(a)gmail.com>
wrote:
> Zdenek,
>
> I have my own machine with SELInux enabled. But SELinux info is different
> from yours:
> root@ctx0700:~# sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: mcs
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: requested (insecure)
> Max kernel policy version: 31
> root@ctx0700:~# semanage boolean -l | grep secure_mode
> secure_mode (off , off) Allow secure to mode
> secure_mode_insmod (off , off) Allow secure to mode insmod
> secure_mode_policyload (off , off) Allow secure to mode
> policyload
> root@ctx0700:~# setsebool secure_mode_policyload on
> root@ctx0700:~# setsebool secure_mode_policyload off
> root@ctx0700:~# setenforce 0
> root@ctx0700:~# getenforce
> Permissive
>
>
> ----henry
>
> On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62(a)gmail.com>
> wrote:
>
>> Zdenek,
>>
>> Thanks for the information.
>> Is it possible for me to convert those actions into SELinux policy so
>> that I do not have to do the above operation for all machines with SELinux
>> enabled?
>>
>> ---henry
>>
>> On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela(a)redhat.com>
>> wrote:
>>
>>> Henry,
>>>
>>> Enable the boolean as Simon suggested using setsebool. This is also a
>>> list of other related booleans:
>>>
>>> f37# semanage boolean -l | grep secure_mode
>>> secure_mode (off , off) disallow programs, such
>>> as newrole, from transitionin
>>> g to administrative user domains.
>>> secure_mode_insmod (off , off) Disable kernel module
>>> loading.
>>> secure_mode_policyload (off , off) Boolean to determine
>>> whether the system permits loadi
>>> ng policy, setting enforcing mode, and changing boolean values. Set
>>> this to true and you have to r
>>> eboot to set it back.
>>> f37# setsebool secure_mode_policyload on
>>> f37# setsebool secure_mode_policyload off
>>> Could not change active booleans: Permission denied
>>> f37# setenforce 0
>>> setenforce: setenforce() failed
>>>
>>> With the -P switch, the change will be permanent, so remember to check
>>> you have some recovery access to the system before you do it (rescue mode,
>>> booting with selinupermissive/disabled etc.)
>>>
>>>
>>> On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62(a)gmail.com>
>>> wrote:
>>>
>>>> Simon,
>>>>
>>>> Would you please tell me how to make it happen?
>>>>
>>>> ---henry
>>>>
>>>> On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Henry,
>>>>>
>>>>> With SELinux you can confine the root user and enable
>>>>> the secure_mode_policyload boolean.
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>> On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <
>>>>> michaelradecker(a)gmail.com> wrote:
>>>>>
>>>>>> Henry,
>>>>>>
>>>>>> The setenforce command switches SELinux temporarily. To make it
>>>>>> persist, change the /etc/selinux/config file and reboot.
>>>>>>
>>>>>>
>>>>>> -Mike
>>>>>>
>>>>>> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang
<henryzhang62(a)gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Mike,
>>>>>>>
>>>>>>> setenforce can change mode. See:
>>>>>>>
>>>>>>> root@ctx0700:~# cat /etc/selinux/config
>>>>>>> # This file controls the state of SELinux on the system.
>>>>>>> # SELINUX= can take one of these three values:
>>>>>>> # enforcing - SELinux security policy is enforced.
>>>>>>> # permissive - SELinux prints warnings instead of
enforcing.
>>>>>>> # disabled - No SELinux policy is loaded.
>>>>>>> SELINUX=enforcing
>>>>>>>
>>>>>>> root@ctx0700:~# sestatus
>>>>>>>
>>>>>>>
>>>>>>> SELinux status: enabled
>>>>>>> SELinuxfs mount: /sys/fs/selinux
>>>>>>> SELinux root directory: /etc/selinux
>>>>>>> Loaded policy name: mcs
>>>>>>> Current mode: enforcing
>>>>>>> Mode from config file: enforcing
>>>>>>> Policy MLS status: enabled
>>>>>>> Policy deny_unknown status: allowed
>>>>>>> Memory protection checking: requested (insecure)
>>>>>>> Max kernel policy version: 31
>>>>>>>
>>>>>>> root@ctx0700:~# setenforce 0
>>>>>>>
>>>>>>>
>>>>>>> root@ctx0700:~# getenforce
>>>>>>>
>>>>>>>
>>>>>>> Permissive
>>>>>>> root@ctx0700:~# sestatus
>>>>>>> SELinux status: enabled
>>>>>>> SELinuxfs mount: /sys/fs/selinux
>>>>>>> SELinux root directory: /etc/selinux
>>>>>>> Loaded policy name: mcs
>>>>>>> Current mode: permissive
>>>>>>> Mode from config file: enforcing
>>>>>>> Policy MLS status: enabled
>>>>>>> Policy deny_unknown status: allowed
>>>>>>> Memory protection checking: requested (insecure)
>>>>>>> Max kernel policy version: 31
>>>>>>>
>>>>>>> -----henry
>>>>>>>
>>>>>>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>>>>>>> michaelradecker(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Henry,
>>>>>>>>
>>>>>>>> You can edit /etc/selinux/config to state
SELINUX=enforcing
>>>>>>>>
>>>>>>>> When you reboot, your system will be enforcing SELinux
policies
>>>>>>>> and it will persist. I'm also including a link to
Red Hat documentation
>>>>>>>> regarding this topic.
>>>>>>>>
>>>>>>>>
>>>>>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>>>>>>>
>>>>>>>> -Mike
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <
>>>>>>>> henryzhang62(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi folks,
>>>>>>>>>
>>>>>>>>> setenforce allows users to swap selinux mode between
enforcing
>>>>>>>>> and permissive.
>>>>>>>>> If I want my selinux to stay in enforcing mode
forever so that
>>>>>>>>> nobody is able to interfere with my selinux.
>>>>>>>>>
>>>>>>>>> What should I do?
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> ---henry
>>>>>>>>> _______________________________________________
>>>>>>>>> selinux mailing list --
selinux(a)lists.fedoraproject.org
>>>>>>>>> To unsubscribe send an email to
>>>>>>>>> selinux-leave(a)lists.fedoraproject.org
>>>>>>>>> Fedora Code of Conduct:
>>>>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>>>> List Guidelines:
>>>>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>>>> List Archives:
>>>>>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>>>>>> Do not reply to spam, report it:
>>>>>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>>> To unsubscribe send an email to
>>>>>> selinux-leave(a)lists.fedoraproject.org
>>>>>> Fedora Code of Conduct:
>>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>> List Guidelines:
>>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>> List Archives:
>>>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>>>> Do not reply to spam, report it:
>>>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Simon Sekidde
>>>>>
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>>> Fedora Code of Conduct:
>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>> Do not reply to spam, report it:
>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>>
>>>
>>>
>>> --
>>>
>>> Zdenek Pytela
>>> Security SELinux team
>>>
>>