On Wed, 2012-02-22 at 11:34 -0600, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a setting
> in system-config-selinux) that would block root from using setenforce to
> change from enforcing to permissive mode.
>
> I can't seem to find it now on F17. I haven't figured out the correct
> combo to find this via google.
It is secure_mode_policyload
$ getsebool -a | grep secure_mode
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
$ sesearch --allow -SCT | grep secure_mode_policyload
EF allow can_setenforce security_t : security setenforce ;
[ secure_mode_policyload ]
EF allow can_load_policy security_t : security load_policy ;
[ secure_mode_policyload ]
EF allow can_setenforce security_t : file { ioctl read write getattr
lock append open } ; [ secure_mode_policyload ]
EF allow can_setenforce security_t : dir { ioctl read getattr lock
search open } ; [ secure_mode_policyload ]
EF allow can_setbool boolean_type : security setbool ;
[ secure_mode_policyload ]
EF allow can_setenforce sysfs_t : filesystem getattr ;
[ secure_mode_policyload ]
EF allow can_setenforce sysfs_t : dir { getattr search open } ;
[ secure_mode_policyload ]
> I tested the secure_mode boolean, but that didn't appear to work.
> Nothing else in the list looked like it would block changing to
> permisive mode.
>
> Is this setting gone now? If not can someone point me to what it is or
> documentation about it?
>
> Thanks.
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
