The "setenforce" utility require root privileges to run. If you don't want
people to mess with your SELinux configuration, don't give them the privileges to do
it. First, don't give anyone the password for the root user. Secondly, instead of
granting full sudo privileges to your users, just grant them whatever sudo privileges they
need to perform their jobs, and nothing else.
----- Original Message -----
From: "selinux-request" <selinux-request(a)lists.fedoraproject.org
To: selinux(a)lists.fedoraproject.org
Sent: Thursday, February 9, 2023 4:32:56 PM
Subject: selinux Digest, Vol 221, Issue 1
Send selinux mailing list submissions to
selinux(a)lists.fedoraproject.org
To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
selinux-request(a)lists.fedoraproject.org
You can reach the person managing the list at
selinux-owner(a)lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."
Today's Topics:
1. Re: get rid of setenforce (Simon Sekidde)
2. Re: get rid of setenforce (Henry Zhang)
----------------------------------------------------------------------
Date: Thu, 9 Feb 2023 16:29:15 -0500
From: Simon Sekidde <ssekidde(a)redhat.com
Subject:
Re: get rid of setenforce
To: Michael Radecker <michaelradecker(a)gmail.com
Cc: Henry
Zhang <henryzhang62(a)gmail.com>,
selinux(a)lists.fedoraproject.org
Message-ID:
<CAE6848kaW7S2-ZKbcy7yn_7oLJXwZOvhx=qfhS7y6LD=QErRXg(a)mail.gmail.com
Content-Type: multipart/alternative;
boundary="0000000000004ae6f905f44b1354"
--0000000000004ae6f905f44b1354
Content-Type: text/plain; charset="UTF-8"
Henry,
With SELinux you can confine the root user and enable
the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker(a)gmail.com
wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist,
change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:
> Mike,
> setenforce can change mode. See:
> root@ctx0700:~# cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> root@ctx0700:~# sestatus
> SELinux status:
enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: mcs
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: requested (insecure)
> Max kernel policy version: 31
> root@ctx0700:~# setenforce 0
> root@ctx0700:~# getenforce
> Permissive
> root@ctx0700:~# sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: mcs
> Current mode: permissive
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: requested (insecure)
> Max kernel policy version: 31
> -----henry
> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
> michaelradecker(a)gmail.com> wrote:
>> Henry,
>
>> You can edit /etc/selinux/config to state
SELINUX=enforcing
>
>> When you reboot, your system will be enforcing SELinux
policies and it
>> will persist. I'm also including a link to Red Hat documentation regarding
>> this topic.
>
>
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>
>> -Mike
>
>
>> On Thu, Feb 9, 2023 at
11:58 AM Henry Zhang <henryzhang62(a)gmail.com
>>
wrote:
>
>>> Hi folks,
>>
>>> setenforce allows users
to swap selinux mode between enforcing and
>>> permissive.
>>> If I want my selinux to stay in enforcing mode forever so that nobody
>>> is able to interfere with my selinux.
>>
>>> What should I do?
>>
>>> Thanks.
>>
>>> ---henry
>>> _______________________________________________
>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>
>>
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
--0000000000004ae6f905f44b1354
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div
class=3D"gmail_default" style=3D"fon=
t-family:arial,sans-serif">Henry,=C2=A0</div><div
class=3D"gmail_default" s=
tyle=3D"font-family:arial,sans-serif"><br></div><div
class=3D"gmail_default=
" style=3D"font-family:arial,sans-serif">With SELinux you can confine
the r=
oot user and enable the=C2=A0secure_mode_policyload boolean.=C2=A0</div><di=
v class=3D"gmail_default"
style=3D"font-family:arial,sans-serif"><br></div>=
<div class=3D"gmail_default"
style=3D"font-family:arial,sans-serif">Kind Re=
gards,=C2=A0</div></div><br><div
class=3D"gmail_quote"><div dir=3D"ltr" cla=
ss=3D"gmail_attr">On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker
<<a hr=
ef=3D"mailto:michaelradecker@gmail.com">michaelradecker@gmail.com</a>>
w=
rote:<br></div><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb=
(204,204,204);padding-left:1ex"><div
dir=3D"auto">Henry,=C2=A0<div dir=3D"a=
uto"><br></div><div dir=3D"auto">The setenforce
command switches SELinux te=
mporarily.=C2=A0 To make it persist, change the /etc/selinux/config file an=
d reboot.</div><div dir=3D"auto"><br></div><div
dir=3D"auto"><br></div><div=
dir=3D"auto">-Mike</div></div><br><div
class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Thu, Feb 9, 2023, 12:40 PM Henry Zhang
<<a h=
ref=3D"mailto:henryzhang62@gmail.com"
target=3D"_blank">henryzhang62(a)gmail.=
com</a>> wrote:<br></div><blockquote
class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-l=
eft-color:rgb(204,204,204);padding-left:1ex"><div
dir=3D"ltr">Mike,<div><br=
</div><div>setenforce can change mode.
See:<br><br></div><div>root@ctx0700=
:~# cat
/etc/selinux/config <br># This file controls the state of SELinux o=
n the system.<br># SELINUX=3D can take one of these three values:<br># =C2=
=A0 =C2=A0 enforcing - SELinux security policy is enforced.<br># =C2=A0 =C2=
=A0 permissive - SELinux prints warnings instead of enforcing.<br># =C2=A0 =
=C2=A0 disabled - No SELinux policy is
loaded.<br>SELINUX=3Denforcing<br><b=
r></div><div>root@ctx0700:~# sestatus =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0<br>SELinux status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxfs mount: =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/selinux<br>SELinux root directory: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br>Loaded policy name: =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Current mode: =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enforcing<br>Mode from config fil=
e: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcing<br>Policy MLS status: =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>Policy deny_unknown st=
atus: =C2=A0 =C2=A0 allowed<br>Memory protection checking: =C2=A0 =C2=A0 re=
quested (insecure)<br>Max kernel policy version: =C2=A0 =C2=A0 =C2=A031<br>=
<br>root@ctx0700:~# setenforce 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<b=
r>root@ctx0700:~# getenforce =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0<br>Permissive<br>root@ctx0700:~# sestatus<br>SELinux status: =C2=A0
=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxfs mount: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/selinux<br>S=
ELinux root directory: =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br>Loaded p=
olicy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Current mode: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 permissive<b=
r>Mode from config file: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcing<br>Pol=
icy MLS status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>=
Policy deny_unknown status: =C2=A0 =C2=A0 allowed<br>Memory protection chec=
king: =C2=A0 =C2=A0 requested (insecure)<br>Max kernel policy version: =C2=
=A0 =C2=A0
=C2=A031<br></div><div><br></div><div>-----henry</div></div><br>=
<div class=3D"gmail_quote"><div dir=3D"ltr"
class=3D"gmail_attr">On Thu, Fe=
b 9, 2023 at 12:11 PM Michael Radecker <<a href=3D"mailto:michaelradecke=
r(a)gmail.com" rel=3D"noreferrer"
target=3D"_blank">michaelradecker(a)gmail.com=
</a>> wrote:<br></div><blockquote
class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left=
-color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div
dir=3D"ltr"=
Henry,<div dir=3D"auto"><br></div><div
dir=3D"auto">You can edit /etc/seli=
nux/config to state
SELINUX=3Denforcing</div><div
dir=3D"auto"><br></div><d=
iv dir=3D"auto">When you reboot, your system will be enforcing SELinux poli=
cies and it will persist.=C2=A0 I'm also including=C2=A0a link to Red H=
at documentation regarding this topic.</div></div><div
dir=3D"ltr"><br></di=
v><div dir=3D"ltr"><a
href=3D"https://access.redhat.com/documentation/en-us=
/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-=
modes_using-selinux" rel=3D"noreferrer"
target=3D"_blank">https://access.re=
dhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/=
changing-selinux-states-and-modes_using-selinux</a><br></div><div
dir=3D"lt=
r"><br></div>-Mike<div><br></div><div><br><div
class=3D"gmail_quote"><div d=
ir=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 11:58 AM
Henry Zhang=
<<a href=3D"mailto:henryzhang62@gmail.com"
rel=3D"noreferrer" target=3D=
"_blank">henryzhang62(a)gmail.com</a>&gt;
wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px
0.8ex;border-left-width:1px;bo=
rder-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">=
<div dir=3D"ltr">Hi
folks,<div><br></div><div>setenforce allows users to sw=
ap selinux mode between enforcing and permissive.=C2=A0<br>If I want my sel=
inux to stay in enforcing mode forever so that nobody is able to interfere =
with my selinux.</div><div><br></div><div>What should I
do?</div><div><br><=
/div><div>Thanks.</div><div><br></div><div>---henry</div></div
_______________________________________________<br
selinux mailing list -- <a
href=3D"mailto:selinux@lists.fedoraproject.org" =
rel=3D"noreferrer"
target=3D"_blank">selinux(a)lists.fedoraproject.org</a><br=
To unsubscribe send an email to <a
href=3D"mailto:selinux-leave@lists.fedor=
aproject.org" rel=3D"noreferrer"
target=3D"_blank">selinux-leave(a)lists.fedo=
raproject.org</a><br
Fedora Code of Conduct: <a
href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer noreferrer"
target=3D"_blank">http=
s://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br
List Guidelines: <a
href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer noreferrer"
target=3D"_blank">https://fedoraproj=
ect.org/wiki/Mailing_list_guidelines</a><br
List
Archives: <a
href=3D"https://lists.fedoraproject.org/archives/list/sel=
inux(a)lists.fedoraproject.org" rel=3D"noreferrer noreferrer"
target=3D"_blan=
k">https://lists.fedoraproject.org/archives/list/selinux@lists.fe...
t.org</a><br
Do not reply to spam, report it:
<a href=3D"https://pagure.io/fedora-infras=
tructure/new_issue" rel=3D"noreferrer noreferrer"
target=3D"_blank">https:/=
/pagure.io/fedora-infrastructure/new_issue</a><br
</blockquote></div></div></div
</blockquote></div
</blockquote></div
_______________________________________________<br
selinux mailing list -- <a
href=3D"mailto:selinux@lists.fedoraproject.org" =
target=3D"_blank">selinux(a)lists.fedoraproject.org</a><br
To unsubscribe send an email to <a
href=3D"mailto:selinux-leave@lists.fedor=
aproject.org"
target=3D"_blank">selinux-leave(a)lists.fedoraproject.org</a><b=
r
Fedora Code of Conduct: <a
href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer"
target=3D"_blank">https://docs.fe=
doraproject.org/en-US/project/code-of-conduct/</a><br
List Guidelines: <a
href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer"
target=3D"_blank">https://fedoraproject.org/wik=
i/Mailing_list_guidelines</a><br
List
Archives: <a
href=3D"https://lists.fedoraproject.org/archives/list/sel=
inux(a)lists.fedoraproject.org" rel=3D"noreferrer"
target=3D"_blank">https://=
lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org<...
r
Do not reply to spam, report it: <a
href=3D"https://pagure.io/fedora-infras=
tructure/new_issue" rel=3D"noreferrer"
target=3D"_blank">https://pagure.io/=
fedora-infrastructure/new_issue</a><br
</blockquote></div><br
clear=3D"all"><div><br></div>-- <br><div
dir=3D"ltr"=
class=3D"gmail_signature"><div dir=3D"ltr"><p
style=3D"margin:0px;font-str=
etch:normal;font-size:13px;line-height:normal;font-family:"Helvetica N=
eue"">Simon Sekidde</p></div></div></div
--0000000000004ae6f905f44b1354--
------------------------------
Date: Thu, 9 Feb 2023 13:32:16 -0800
From: Henry Zhang <henryzhang62(a)gmail.com
Subject:
Re: get rid of setenforce
To: Michael Radecker <michaelradecker(a)gmail.com
Cc:
selinux(a)lists.fedoraproject.org
Message-ID:
<CANTW0yr8w5fb_VnU=JHp44Pi=sJrd=2HH2Umfr1D1y9cuiFqYQ(a)mail.gmail.com
Content-Type: multipart/alternative;
boundary="00000000000009fd5905f44b1e44"
--00000000000009fd5905f44b1e44
Content-Type: text/plain; charset="UTF-8"
Mike,
If SELinux mode can be set to permissive temporarily so that people can
control the device.
any way to prevent that?
---henry
On Thu, Feb 9, 2023 at 1:09 PM Michael Radecker <michaelradecker(a)gmail.com
wrote:
> Henry,
> The setenforce command switches SELinux temporarily. To
make it persist,
> change the /etc/selinux/config file and reboot.
> -Mike
> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang
<henryzhang62(a)gmail.com> wrote:
>> Mike,
>
>> setenforce can change mode. See:
>
>> root@ctx0700:~# cat /etc/selinux/config
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enforcing
>
>> root@ctx0700:~# sestatus
>
>
>> SELinux status:
enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>
>> root@ctx0700:~# setenforce 0
>
>
>> root@ctx0700:~# getenforce
>
>
>> Permissive
>> root@ctx0700:~# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: mcs
>> Current mode: permissive
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: requested (insecure)
>> Max kernel policy version: 31
>
>> -----henry
>
>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <
>> michaelradecker(a)gmail.com> wrote:
>
>>> Henry,
>>
>>> You can edit
/etc/selinux/config to state SELINUX=enforcing
>>
>>> When you reboot, your
system will be enforcing SELinux policies and it
>>> will persist. I'm also including a link to Red Hat documentation
regarding
>>> this topic.
>>
>>
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>
>>> -Mike
>>
>>
>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang
<henryzhang62(a)gmail.com
>>> wrote:
>>
>>>> Hi folks,
>>>
>>>> setenforce allows
users to swap selinux mode between enforcing and
>>>> permissive.
>>>> If I want my selinux to stay in enforcing mode forever so that nobody
>>>> is able to interfere with my selinux.
>>>
>>>> What should I do?
>>>
>>>> Thanks.
>>>
>>>> ---henry
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>>>> Fedora Code of Conduct:
>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>>>> Do not reply to spam, report it:
>>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>>
--00000000000009fd5905f44b1e44
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Mike,<div><br></div><div>If
SELinux mode can be set to per=
missive temporarily so that people can control the device.</div><div>any wa=
y to prevent
that?</div><div><br></div><div>---henry=C2=A0</div></div><br><=
div class=3D"gmail_quote"><div dir=3D"ltr"
class=3D"gmail_attr">On Thu, Feb=
9, 2023 at 1:09 PM Michael Radecker <<a href=3D"mailto:michaelradecker@=
gmail.com">michaelradecker(a)gmail.com</a>&gt;
wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px
solid=
rgb(204,204,204);padding-left:1ex"><div
dir=3D"auto">Henry,=C2=A0<div dir=
=3D"auto"><br></div><div dir=3D"auto">The
setenforce command switches SELin=
ux temporarily.=C2=A0 To make it persist, change the /etc/selinux/config fi=
le and reboot.</div><div dir=3D"auto"><br></div><div
dir=3D"auto"><br></div=
<div
dir=3D"auto">-Mike</div></div><br><div
class=3D"gmail_quote"><div dir=
=3D"ltr"
class=3D"gmail_attr">On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <=
;<a href=3D"mailto:henryzhang62@gmail.com"
target=3D"_blank">henryzhang62@g=
mail.com</a>> wrote:<br></div><blockquote
class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div
dir=3D"ltr">Mike,<div><br></div><div>setenforce can
change mod=
e. See:<br><br></div><div>root@ctx0700:~# cat /etc/selinux/config
<br># Thi=
s file controls the state of SELinux on the system.<br># SELINUX=3D can tak=
e one of these three values:<br># =C2=A0 =C2=A0 enforcing - SELinux securit=
y policy is enforced.<br># =C2=A0 =C2=A0 permissive - SELinux prints warnin=
gs instead of enforcing.<br># =C2=A0 =C2=A0 disabled - No SELinux policy is=
loaded.<br>SELINUX=3Denforcing<br><br></div><div>root@ctx0700:~#
sestatus =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>SELinux status: =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxf=
s mount: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/sel=
inux<br>SELinux root directory: =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br=
Loaded policy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
mcs<br>Curre=
nt mode: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 enf=
orcing<br>Mode from config file: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcin=
g<br>Policy MLS status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ena=
bled<br>Policy deny_unknown status: =C2=A0 =C2=A0 allowed<br>Memory protect=
ion checking: =C2=A0 =C2=A0 requested (insecure)<br>Max kernel policy versi=
on: =C2=A0 =C2=A0 =C2=A031<br><br>root@ctx0700:~# setenforce 0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>root@ctx0700:~# getenforce =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>Permissive<br>root@ctx0700:~# sestatu=
s<br>SELinux status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 enabled<br>SELinuxfs mount: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0/sys/fs/selinux<br>SELinux root directory: =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 /etc/selinux<br>Loaded policy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 mcs<br>Current mode: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 permissive<br>Mode from config file: =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0enforcing<br>Policy MLS status: =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>Policy deny_unknown status: =C2=A0 =
=C2=A0 allowed<br>Memory protection checking: =C2=A0 =C2=A0 requested (inse=
cure)<br>Max kernel policy version: =C2=A0 =C2=A0
=C2=A031<br></div><div><b=
r></div><div>-----henry</div></div><br><div
class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 12:11 PM
Michael Radec=
ker <<a href=3D"mailto:michaelradecker@gmail.com"
rel=3D"noreferrer" tar=
get=3D"_blank">michaelradecker(a)gmail.com</a>&gt;
wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px
s=
olid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div
dir=3D"ltr">H=
enry,<div dir=3D"auto"><br></div><div
dir=3D"auto">You can edit /etc/selinu=
x/config to state SELINUX=3Denforcing</div><div
dir=3D"auto"><br></div><div=
dir=3D"auto">When you reboot, your system will be enforcing SELinux polici=
es and it will persist.=C2=A0 I'm also including=C2=A0a link to Red Hat=
documentation regarding this topic.</div></div><div
dir=3D"ltr"><br></div>=
<div dir=3D"ltr"><a
href=3D"https://access.redhat.com/documentation/en-us/r=
ed_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-mo=
des_using-selinux" rel=3D"noreferrer"
target=3D"_blank">https://access.redh=
at.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/ch=
anging-selinux-states-and-modes_using-selinux</a><br></div><div
dir=3D"ltr"=
<br></div>-Mike<div><br></div><div><br><div
class=3D"gmail_quote"><div dir=
=3D"ltr"
class=3D"gmail_attr">On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang &=
lt;<a href=3D"mailto:henryzhang62@gmail.com" rel=3D"noreferrer"
target=3D"_=
blank">henryzhang62(a)gmail.com</a>&gt;
wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"ltr">Hi
folks,<div><br></div><div>=
setenforce allows users to swap selinux mode between enforcing and permissi=
ve.=C2=A0<br>If I want my selinux to stay in enforcing mode forever so that=
nobody is able to interfere with my
selinux.</div><div><br></div><div>What=
should I
do?</div><div><br></div><div>Thanks.</div><div><br></div><div>---=
henry</div></div
_______________________________________________<br
selinux
mailing list -- <a href=3D"mailto:selinux@lists.fedoraproject.org" =
rel=3D"noreferrer"
target=3D"_blank">selinux(a)lists.fedoraproject.org</a><br=
To unsubscribe send an email to <a
href=3D"mailto:selinux-leave@lists.fedor=
aproject.org" rel=3D"noreferrer"
target=3D"_blank">selinux-leave(a)lists.fedo=
raproject.org</a><br
Fedora Code of Conduct: <a
href=3D"https://docs.fedoraproject.org/en-US/pro=
ject/code-of-conduct/" rel=3D"noreferrer noreferrer"
target=3D"_blank">http=
s://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br
List Guidelines: <a
href=3D"https://fedoraproject.org/wiki/Mailing_list_gui=
delines" rel=3D"noreferrer noreferrer"
target=3D"_blank">https://fedoraproj=
ect.org/wiki/Mailing_list_guidelines</a><br
List
Archives: <a
href=3D"https://lists.fedoraproject.org/archives/list/sel=
inux(a)lists.fedoraproject.org" rel=3D"noreferrer noreferrer"
target=3D"_blan=
k">https://lists.fedoraproject.org/archives/list/selinux@lists.fe...
t.org</a><br
Do not reply to spam, report it:
<a href=3D"https://pagure.io/fedora-infras=
tructure/new_issue" rel=3D"noreferrer noreferrer"
target=3D"_blank">https:/=
/pagure.io/fedora-infrastructure/new_issue</a><br
</blockquote></div></div></div
</blockquote></div
</blockquote></div
</blockquote></div
--00000000000009fd5905f44b1e44--
------------------------------
Subject: Digest Footer
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
------------------------------
End of selinux Digest, Vol 221, Issue 1
***************************************