On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote: > I can't find where I read this now, could somebody please tell me what I > need to add/remove from the strict policy to disallow running of the > setenforce command (but still allow changing enforcement mode via > rebooting) ? Typically, the can_setenforce() macro defined in macros/core_macros.te is used in the policy to allow processes to change /selinux/enforce (which is how setenforce works). It is used in macros/admin_macros.te to allow administrators to do it, and in domains/program/initrc.te to allow /etc/rc.d/rc.sysinit to do it for emergency recovery situations. So you could remove its individual occurrences or change the macro definition to expand to nothing. You likely also would want to modify the unconfined_domain definition and update the assertion in assert.te to check that it isn't granted anywhere else. Naturally, the problem then becomes dealing with policy updates after making such a customization, so you might want to consider implementing this as a policy boolean or tunable and submitting it for inclusion in the standard policy. That would let you disable it easily without having to make invasive changes to the policy. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
