Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker michaelradecker@gmail.com wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker michaelradecker@gmail.com wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker michaelradecker@gmail.com wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Zdenek,
Thanks for the information. Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela zpytela@redhat.com wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
> Hi folks, > > setenforce allows users to swap selinux mode between enforcing and > permissive. > If I want my selinux to stay in enforcing mode forever so that > nobody is able to interfere with my selinux. > > What should I do? > > Thanks. > > ---henry > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org > To unsubscribe send an email to > selinux-leave@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela Security SELinux team
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours: root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31 root@ctx0700:~# semanage boolean -l | grep secure_mode secure_mode (off , off) Allow secure to mode secure_mode_insmod (off , off) Allow secure to mode insmod secure_mode_policyload (off , off) Allow secure to mode policyload root@ctx0700:~# setsebool secure_mode_policyload on root@ctx0700:~# setsebool secure_mode_policyload off root@ctx0700:~# setenforce 0 root@ctx0700:~# getenforce Permissive
----henry
On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Thanks for the information. Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela zpytela@redhat.com wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
> Henry, > > You can edit /etc/selinux/config to state SELINUX=enforcing > > When you reboot, your system will be enforcing SELinux policies and > it will persist. I'm also including a link to Red Hat documentation > regarding this topic. > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... > > -Mike > > > On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com > wrote: > >> Hi folks, >> >> setenforce allows users to swap selinux mode between enforcing and >> permissive. >> If I want my selinux to stay in enforcing mode forever so that >> nobody is able to interfere with my selinux. >> >> What should I do? >> >> Thanks. >> >> ---henry >> _______________________________________________ >> selinux mailing list -- selinux@lists.fedoraproject.org >> To unsubscribe send an email to >> selinux-leave@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > _______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela Security SELinux team
Zdenek,
This is what I get from my fedora 37 (VMbox): [henryzhang@fedora ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ getenforce Enforcing [henryzhang@fedora ~]$ setenforce 0 setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours: root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31 root@ctx0700:~# semanage boolean -l | grep secure_mode secure_mode (off , off) Allow secure to mode secure_mode_insmod (off , off) Allow secure to mode insmod secure_mode_policyload (off , off) Allow secure to mode policyload root@ctx0700:~# setsebool secure_mode_policyload on root@ctx0700:~# setsebool secure_mode_policyload off root@ctx0700:~# setenforce 0 root@ctx0700:~# getenforce Permissive
----henry
On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Thanks for the information. Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela zpytela@redhat.com wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
> Mike, > > setenforce can change mode. See: > > root@ctx0700:~# cat /etc/selinux/config > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=enforcing > > root@ctx0700:~# sestatus > > > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: mcs > Current mode: enforcing > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: requested (insecure) > Max kernel policy version: 31 > > root@ctx0700:~# setenforce 0 > > > root@ctx0700:~# getenforce > > > Permissive > root@ctx0700:~# sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: mcs > Current mode: permissive > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: requested (insecure) > Max kernel policy version: 31 > > -----henry > > On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < > michaelradecker@gmail.com> wrote: > >> Henry, >> >> You can edit /etc/selinux/config to state SELINUX=enforcing >> >> When you reboot, your system will be enforcing SELinux policies and >> it will persist. I'm also including a link to Red Hat documentation >> regarding this topic. >> >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... >> >> -Mike >> >> >> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com >> wrote: >> >>> Hi folks, >>> >>> setenforce allows users to swap selinux mode between enforcing and >>> permissive. >>> If I want my selinux to stay in enforcing mode forever so that >>> nobody is able to interfere with my selinux. >>> >>> What should I do? >>> >>> Thanks. >>> >>> ---henry >>> _______________________________________________ >>> selinux mailing list -- selinux@lists.fedoraproject.org >>> To unsubscribe send an email to >>> selinux-leave@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela Security SELinux team
Sorry, I should use sudo su. But I still can make change in Fedora: [root@fedora lib]# setsebool secure_mode_policyload on [root@fedora lib]# setsebool secure_mode_policyload off [root@fedora lib]# setenforce 0 [root@fedora lib]#
On Fri, Feb 10, 2023 at 4:17 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
This is what I get from my fedora 37 (VMbox): [henryzhang@fedora ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ getenforce Enforcing [henryzhang@fedora ~]$ setenforce 0 setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours: root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31 root@ctx0700:~# semanage boolean -l | grep secure_mode secure_mode (off , off) Allow secure to mode secure_mode_insmod (off , off) Allow secure to mode insmod secure_mode_policyload (off , off) Allow secure to mode policyload root@ctx0700:~# setsebool secure_mode_policyload on root@ctx0700:~# setsebool secure_mode_policyload off root@ctx0700:~# setenforce 0 root@ctx0700:~# getenforce Permissive
----henry
On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Thanks for the information. Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela zpytela@redhat.com wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < michaelradecker@gmail.com> wrote:
> Henry, > > The setenforce command switches SELinux temporarily. To make it > persist, change the /etc/selinux/config file and reboot. > > > -Mike > > On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com > wrote: > >> Mike, >> >> setenforce can change mode. See: >> >> root@ctx0700:~# cat /etc/selinux/config >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enforcing >> >> root@ctx0700:~# sestatus >> >> >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mcs >> Current mode: enforcing >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 31 >> >> root@ctx0700:~# setenforce 0 >> >> >> root@ctx0700:~# getenforce >> >> >> Permissive >> root@ctx0700:~# sestatus >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mcs >> Current mode: permissive >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 31 >> >> -----henry >> >> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < >> michaelradecker@gmail.com> wrote: >> >>> Henry, >>> >>> You can edit /etc/selinux/config to state SELINUX=enforcing >>> >>> When you reboot, your system will be enforcing SELinux policies >>> and it will persist. I'm also including a link to Red Hat documentation >>> regarding this topic. >>> >>> >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... >>> >>> -Mike >>> >>> >>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang < >>> henryzhang62@gmail.com> wrote: >>> >>>> Hi folks, >>>> >>>> setenforce allows users to swap selinux mode between enforcing >>>> and permissive. >>>> If I want my selinux to stay in enforcing mode forever so that >>>> nobody is able to interfere with my selinux. >>>> >>>> What should I do? >>>> >>>> Thanks. >>>> >>>> ---henry >>>> _______________________________________________ >>>> selinux mailing list -- selinux@lists.fedoraproject.org >>>> To unsubscribe send an email to >>>> selinux-leave@lists.fedoraproject.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org > To unsubscribe send an email to > selinux-leave@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
--
Simon Sekidde
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela Security SELinux team
Hello,
Setting secure_mode_policyload works as expected and I can reproduce what I posted last time. If you can see different behaviour, it probably means some other changes were made on your system which have this effect. For changes on multiple systems, you can use e. g. semanage export/import or linux-system-roles.
On Sat, Feb 11, 2023 at 2:01 AM Henry Zhang henryzhang62@gmail.com wrote:
Sorry, I should use sudo su. But I still can make change in Fedora: [root@fedora lib]# setsebool secure_mode_policyload on [root@fedora lib]# setsebool secure_mode_policyload off [root@fedora lib]# setenforce 0 [root@fedora lib]#
On Fri, Feb 10, 2023 at 4:17 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
This is what I get from my fedora 37 (VMbox): [henryzhang@fedora ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ getenforce Enforcing [henryzhang@fedora ~]$ setenforce 0 setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours: root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31 root@ctx0700:~# semanage boolean -l | grep secure_mode secure_mode (off , off) Allow secure to mode secure_mode_insmod (off , off) Allow secure to mode insmod secure_mode_policyload (off , off) Allow secure to mode policyload root@ctx0700:~# setsebool secure_mode_policyload on root@ctx0700:~# setsebool secure_mode_policyload off root@ctx0700:~# setenforce 0 root@ctx0700:~# getenforce Permissive
----henry
On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Thanks for the information. Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela zpytela@redhat.com wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
> Henry, > > With SELinux you can confine the root user and enable > the secure_mode_policyload boolean. > > Kind Regards, > > On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < > michaelradecker@gmail.com> wrote: > >> Henry, >> >> The setenforce command switches SELinux temporarily. To make it >> persist, change the /etc/selinux/config file and reboot. >> >> >> -Mike >> >> On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com >> wrote: >> >>> Mike, >>> >>> setenforce can change mode. See: >>> >>> root@ctx0700:~# cat /etc/selinux/config >>> # This file controls the state of SELinux on the system. >>> # SELINUX= can take one of these three values: >>> # enforcing - SELinux security policy is enforced. >>> # permissive - SELinux prints warnings instead of enforcing. >>> # disabled - No SELinux policy is loaded. >>> SELINUX=enforcing >>> >>> root@ctx0700:~# sestatus >>> >>> >>> SELinux status: enabled >>> SELinuxfs mount: /sys/fs/selinux >>> SELinux root directory: /etc/selinux >>> Loaded policy name: mcs >>> Current mode: enforcing >>> Mode from config file: enforcing >>> Policy MLS status: enabled >>> Policy deny_unknown status: allowed >>> Memory protection checking: requested (insecure) >>> Max kernel policy version: 31 >>> >>> root@ctx0700:~# setenforce 0 >>> >>> >>> root@ctx0700:~# getenforce >>> >>> >>> Permissive >>> root@ctx0700:~# sestatus >>> SELinux status: enabled >>> SELinuxfs mount: /sys/fs/selinux >>> SELinux root directory: /etc/selinux >>> Loaded policy name: mcs >>> Current mode: permissive >>> Mode from config file: enforcing >>> Policy MLS status: enabled >>> Policy deny_unknown status: allowed >>> Memory protection checking: requested (insecure) >>> Max kernel policy version: 31 >>> >>> -----henry >>> >>> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < >>> michaelradecker@gmail.com> wrote: >>> >>>> Henry, >>>> >>>> You can edit /etc/selinux/config to state SELINUX=enforcing >>>> >>>> When you reboot, your system will be enforcing SELinux policies >>>> and it will persist. I'm also including a link to Red Hat documentation >>>> regarding this topic. >>>> >>>> >>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... >>>> >>>> -Mike >>>> >>>> >>>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang < >>>> henryzhang62@gmail.com> wrote: >>>> >>>>> Hi folks, >>>>> >>>>> setenforce allows users to swap selinux mode between enforcing >>>>> and permissive. >>>>> If I want my selinux to stay in enforcing mode forever so that >>>>> nobody is able to interfere with my selinux. >>>>> >>>>> What should I do? >>>>> >>>>> Thanks. >>>>> >>>>> ---henry >>>>> _______________________________________________ >>>>> selinux mailing list -- selinux@lists.fedoraproject.org >>>>> To unsubscribe send an email to >>>>> selinux-leave@lists.fedoraproject.org >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... >>>>> Do not reply to spam, report it: >>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>> >>>> _______________________________________________ >> selinux mailing list -- selinux@lists.fedoraproject.org >> To unsubscribe send an email to >> selinux-leave@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > -- > > Simon Sekidde > _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela Security SELinux team
Mike,
If SELinux mode can be set to permissive temporarily so that people can control the device. any way to prevent that?
---henry
On Thu, Feb 9, 2023 at 1:09 PM Michael Radecker michaelradecker@gmail.com wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
Mike,
setenforce can change mode. See:
root@ctx0700:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
root@ctx0700:~# sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
-----henry
On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
You can edit /etc/selinux/config to state SELINUX=enforcing
When you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
-Mike
On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.
What should I do?
Thanks.
---henry _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 2/9/23 14:32, Henry Zhang wrote:
If SELinux mode can be set to permissive temporarily so that people can control the device. any way to prevent that?
But only root can run the setenforce command... I'm not really sure what the value is in trying to stop root from doing this because there is always another way (for example, root user could just update grub to add selinux=0 on kernel command line)
selinux@lists.fedoraproject.org