The "setenforce" utility require root privileges to run. If you don't want people to mess with your SELinux configuration, don't give them the privileges to do it. First, don't give anyone the password for the root user. Secondly, instead of granting full sudo privileges to your users, just grant them whatever sudo privileges they need to perform their jobs, and nothing else. ----- Original Message ----- From: "selinux-request" <selinux-request@xxxxxxxxxxxxxxxxxxxxxxx> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx Sent: Thursday, February 9, 2023 4:32:56 PM Subject: selinux Digest, Vol 221, Issue 1 Send selinux mailing list submissions to selinux@xxxxxxxxxxxxxxxxxxxxxxx To subscribe or unsubscribe via email, send a message with subject or body 'help' to selinux-request@xxxxxxxxxxxxxxxxxxxxxxx You can reach the person managing the list at selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of selinux digest..." Today's Topics: 1. Re: get rid of setenforce (Simon Sekidde) 2. Re: get rid of setenforce (Henry Zhang) ---------------------------------------------------------------------- Date: Thu, 9 Feb 2023 16:29:15 -0500 From: Simon Sekidde <ssekidde@xxxxxxxxxx> Subject: Re: get rid of setenforce To: Michael Radecker <michaelradecker@xxxxxxxxx> Cc: Henry Zhang <henryzhang62@xxxxxxxxx>, selinux@xxxxxxxxxxxxxxxxxxxxxxx Message-ID: <CAE6848kaW7S2-ZKbcy7yn_7oLJXwZOvhx=qfhS7y6LD=QErRXg@xxxxxxxxxxxxxx> Content-Type: multipart/alternative; boundary="0000000000004ae6f905f44b1354" --0000000000004ae6f905f44b1354 Content-Type: text/plain; charset="UTF-8" Henry, With SELinux you can confine the root user and enable the secure_mode_policyload boolean. Kind Regards, On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote: > Henry, > > The setenforce command switches SELinux temporarily. To make it persist, > change the /etc/selinux/config file and reboot. > > > -Mike > > On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote: > >> Mike, >> >> setenforce can change mode. See: >> >> root@ctx0700:~# cat /etc/selinux/config >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enforcing >> >> root@ctx0700:~# sestatus >> >> >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mcs >> Current mode: enforcing >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 31 >> >> root@ctx0700:~# setenforce 0 >> >> >> root@ctx0700:~# getenforce >> >> >> Permissive >> root@ctx0700:~# sestatus >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mcs >> Current mode: permissive >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 31 >> >> -----henry >> >> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < >> michaelradecker@xxxxxxxxx> wrote: >> >>> Henry, >>> >>> You can edit /etc/selinux/config to state SELINUX=enforcing >>> >>> When you reboot, your system will be enforcing SELinux policies and it >>> will persist. I'm also including a link to Red Hat documentation regarding >>> this topic. >>> >>> >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux >>> >>> -Mike >>> >>> >>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@xxxxxxxxx> >>> wrote: >>> >>>> Hi folks, >>>> >>>> setenforce allows users to swap selinux mode between enforcing and >>>> permissive. >>>> If I want my selinux to stay in enforcing mode forever so that nobody >>>> is able to interfere with my selinux. >>>> >>>> What should I do? >>>> >>>> Thanks. >>>> >>>> ---henry >>>> _______________________________________________ >>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Simon Sekidde --0000000000004ae6f905f44b1354 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:arial,sans-serif">Henry,=C2=A0</div><div class=3D"gmail_default" s= tyle=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail_default= " style=3D"font-family:arial,sans-serif">With SELinux you can confine the r= oot user and enable the=C2=A0secure_mode_policyload boolean.=C2=A0</div><di= v class=3D"gmail_default" style=3D"font-family:arial,sans-serif"><br></div>= <div class=3D"gmail_default" style=3D"font-family:arial,sans-serif">Kind Re= gards,=C2=A0</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" cla= ss=3D"gmail_attr">On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <<a hr= ef=3D"mailto:michaelradecker@xxxxxxxxx">michaelradecker@xxxxxxxxx</a>> w= rote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p= x 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb= (204,204,204);padding-left:1ex"><div dir=3D"auto">Henry,=C2=A0<div dir=3D"a= uto"><br></div><div dir=3D"auto">The setenforce command switches SELinux te= mporarily.=C2=A0 To make it persist, change the /etc/selinux/config file an= d reboot.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div= dir=3D"auto">-Mike</div></div><br><div class=3D"gmail_quote"><div dir=3D"l= tr" class=3D"gmail_attr">On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <<a h= ref=3D"mailto:henryzhang62@xxxxxxxxx" target=3D"_blank">henryzhang62@gmail.= com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg= in:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-l= eft-color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Mike,<div><br= ></div><div>setenforce can change mode. See:<br><br></div><div>root@ctx0700= :~# cat /etc/selinux/config <br># This file controls the state of SELinux o= n the system.<br># SELINUX=3D can take one of these three values:<br># =C2= =A0 =C2=A0 enforcing - SELinux security policy is enforced.<br># =C2=A0 =C2= =A0 permissive - SELinux prints warnings instead of enforcing.<br># =C2=A0 = =C2=A0 disabled - No SELinux policy is loaded.<br>SELINUX=3Denforcing<br><b= r></div><div>root@ctx0700:~# sestatus =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0<br>SELinux status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxfs mount: =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/selinux<br>SELinux root directory: = =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br>Loaded policy name: =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Current mode: =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enforcing<br>Mode from config fil= e: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcing<br>Policy MLS status: =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>Policy deny_unknown st= atus: =C2=A0 =C2=A0 allowed<br>Memory protection checking: =C2=A0 =C2=A0 re= quested (insecure)<br>Max kernel policy version: =C2=A0 =C2=A0 =C2=A031<br>= <br>root@ctx0700:~# setenforce 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<b= r>root@ctx0700:~# getenforce =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0<br>Permissive<br>root@ctx0700:~# sestatus<br>SELinux status: =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxfs mount: = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/selinux<br>S= ELinux root directory: =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br>Loaded p= olicy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Current mode: = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 permissive<b= r>Mode from config file: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcing<br>Pol= icy MLS status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>= Policy deny_unknown status: =C2=A0 =C2=A0 allowed<br>Memory protection chec= king: =C2=A0 =C2=A0 requested (insecure)<br>Max kernel policy version: =C2= =A0 =C2=A0 =C2=A031<br></div><div><br></div><div>-----henry</div></div><br>= <div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Fe= b 9, 2023 at 12:11 PM Michael Radecker <<a href=3D"mailto:michaelradecke= r@xxxxxxxxx" rel=3D"noreferrer" target=3D"_blank">michaelradecker@xxxxxxxxx= </a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:= 0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left= -color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"= >Henry,<div dir=3D"auto"><br></div><div dir=3D"auto">You can edit /etc/seli= nux/config to state SELINUX=3Denforcing</div><div dir=3D"auto"><br></div><d= iv dir=3D"auto">When you reboot, your system will be enforcing SELinux poli= cies and it will persist.=C2=A0 I'm also including=C2=A0a link to Red H= at documentation regarding this topic.</div></div><div dir=3D"ltr"><br></di= v><div dir=3D"ltr"><a href=3D"https://access.redhat.com/documentation/en-us= /red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-= modes_using-selinux" rel=3D"noreferrer" target=3D"_blank">https://access.re= dhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/= changing-selinux-states-and-modes_using-selinux</a><br></div><div dir=3D"lt= r"><br></div>-Mike<div><br></div><div><br><div class=3D"gmail_quote"><div d= ir=3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang= <<a href=3D"mailto:henryzhang62@xxxxxxxxx" rel=3D"noreferrer" target=3D= "_blank">henryzhang62@xxxxxxxxx</a>> wrote:<br></div><blockquote class= =3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;bo= rder-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">= <div dir=3D"ltr">Hi folks,<div><br></div><div>setenforce allows users to sw= ap selinux mode between enforcing and permissive.=C2=A0<br>If I want my sel= inux to stay in enforcing mode forever so that nobody is able to interfere = with my selinux.</div><div><br></div><div>What should I do?</div><div><br><= /div><div>Thanks.</div><div><br></div><div>---henry</div></div> _______________________________________________<br> selinux mailing list -- <a href=3D"mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx" = rel=3D"noreferrer" target=3D"_blank">selinux@xxxxxxxxxxxxxxxxxxxxxxx</a><br= > To unsubscribe send an email to <a href=3D"mailto:selinux-leave@lists.fedor= aproject.org" rel=3D"noreferrer" target=3D"_blank">selinux-leave@xxxxxxxxxx= raproject.org</a><br> Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro= ject/code-of-conduct/" rel=3D"noreferrer noreferrer" target=3D"_blank">http= s://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br> List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui= delines" rel=3D"noreferrer noreferrer" target=3D"_blank">https://fedoraproj= ect.org/wiki/Mailing_list_guidelines</a><br> List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/sel= inux@xxxxxxxxxxxxxxxxxxxxxxx" rel=3D"noreferrer noreferrer" target=3D"_blan= k">https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec= t.org</a><br> Do not reply to spam, report it: <a href=3D"https://pagure.io/fedora-infras= tructure/new_issue" rel=3D"noreferrer noreferrer" target=3D"_blank">https:/= /pagure.io/fedora-infrastructure/new_issue</a><br> </blockquote></div></div></div> </blockquote></div> </blockquote></div> _______________________________________________<br> selinux mailing list -- <a href=3D"mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx" = target=3D"_blank">selinux@xxxxxxxxxxxxxxxxxxxxxxx</a><br> To unsubscribe send an email to <a href=3D"mailto:selinux-leave@lists.fedor= aproject.org" target=3D"_blank">selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx</a><b= r> Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro= ject/code-of-conduct/" rel=3D"noreferrer" target=3D"_blank">https://docs.fe= doraproject.org/en-US/project/code-of-conduct/</a><br> List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui= delines" rel=3D"noreferrer" target=3D"_blank">https://fedoraproject.org/wik= i/Mailing_list_guidelines</a><br> List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/sel= inux@xxxxxxxxxxxxxxxxxxxxxxx" rel=3D"noreferrer" target=3D"_blank">https://= lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx</a><b= r> Do not reply to spam, report it: <a href=3D"https://pagure.io/fedora-infras= tructure/new_issue" rel=3D"noreferrer" target=3D"_blank">https://pagure.io/= fedora-infrastructure/new_issue</a><br> </blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"= class=3D"gmail_signature"><div dir=3D"ltr"><p style=3D"margin:0px;font-str= etch:normal;font-size:13px;line-height:normal;font-family:"Helvetica N= eue"">Simon Sekidde</p></div></div></div> --0000000000004ae6f905f44b1354-- ------------------------------ Date: Thu, 9 Feb 2023 13:32:16 -0800 From: Henry Zhang <henryzhang62@xxxxxxxxx> Subject: Re: get rid of setenforce To: Michael Radecker <michaelradecker@xxxxxxxxx> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx Message-ID: <CANTW0yr8w5fb_VnU=JHp44Pi=sJrd=2HH2Umfr1D1y9cuiFqYQ@xxxxxxxxxxxxxx> Content-Type: multipart/alternative; boundary="00000000000009fd5905f44b1e44" --00000000000009fd5905f44b1e44 Content-Type: text/plain; charset="UTF-8" Mike, If SELinux mode can be set to permissive temporarily so that people can control the device. any way to prevent that? ---henry On Thu, Feb 9, 2023 at 1:09 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote: > Henry, > > The setenforce command switches SELinux temporarily. To make it persist, > change the /etc/selinux/config file and reboot. > > > -Mike > > On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote: > >> Mike, >> >> setenforce can change mode. See: >> >> root@ctx0700:~# cat /etc/selinux/config >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enforcing >> >> root@ctx0700:~# sestatus >> >> >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mcs >> Current mode: enforcing >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 31 >> >> root@ctx0700:~# setenforce 0 >> >> >> root@ctx0700:~# getenforce >> >> >> Permissive >> root@ctx0700:~# sestatus >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mcs >> Current mode: permissive >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 31 >> >> -----henry >> >> On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < >> michaelradecker@xxxxxxxxx> wrote: >> >>> Henry, >>> >>> You can edit /etc/selinux/config to state SELINUX=enforcing >>> >>> When you reboot, your system will be enforcing SELinux policies and it >>> will persist. I'm also including a link to Red Hat documentation regarding >>> this topic. >>> >>> >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux >>> >>> -Mike >>> >>> >>> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@xxxxxxxxx> >>> wrote: >>> >>>> Hi folks, >>>> >>>> setenforce allows users to swap selinux mode between enforcing and >>>> permissive. >>>> If I want my selinux to stay in enforcing mode forever so that nobody >>>> is able to interfere with my selinux. >>>> >>>> What should I do? >>>> >>>> Thanks. >>>> >>>> ---henry >>>> _______________________________________________ >>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> --00000000000009fd5905f44b1e44 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Mike,<div><br></div><div>If SELinux mode can be set to per= missive temporarily so that people can control the device.</div><div>any wa= y to prevent that?</div><div><br></div><div>---henry=C2=A0</div></div><br><= div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Feb= 9, 2023 at 1:09 PM Michael Radecker <<a href=3D"mailto:michaelradecker@= gmail.com">michaelradecker@xxxxxxxxx</a>> wrote:<br></div><blockquote cl= ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid= rgb(204,204,204);padding-left:1ex"><div dir=3D"auto">Henry,=C2=A0<div dir= =3D"auto"><br></div><div dir=3D"auto">The setenforce command switches SELin= ux temporarily.=C2=A0 To make it persist, change the /etc/selinux/config fi= le and reboot.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div= ><div dir=3D"auto">-Mike</div></div><br><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <= ;<a href=3D"mailto:henryzhang62@xxxxxxxxx" target=3D"_blank">henryzhang62@g= mail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D= "margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le= ft:1ex"><div dir=3D"ltr">Mike,<div><br></div><div>setenforce can change mod= e. See:<br><br></div><div>root@ctx0700:~# cat /etc/selinux/config <br># Thi= s file controls the state of SELinux on the system.<br># SELINUX=3D can tak= e one of these three values:<br># =C2=A0 =C2=A0 enforcing - SELinux securit= y policy is enforced.<br># =C2=A0 =C2=A0 permissive - SELinux prints warnin= gs instead of enforcing.<br># =C2=A0 =C2=A0 disabled - No SELinux policy is= loaded.<br>SELINUX=3Denforcing<br><br></div><div>root@ctx0700:~# sestatus = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>SELinux status: = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enabled<br>SELinuxf= s mount: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/sys/fs/sel= inux<br>SELinux root directory: =C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/selinux<br= >Loaded policy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 mcs<br>Curre= nt mode: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 enf= orcing<br>Mode from config file: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0enforcin= g<br>Policy MLS status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ena= bled<br>Policy deny_unknown status: =C2=A0 =C2=A0 allowed<br>Memory protect= ion checking: =C2=A0 =C2=A0 requested (insecure)<br>Max kernel policy versi= on: =C2=A0 =C2=A0 =C2=A031<br><br>root@ctx0700:~# setenforce 0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>root@ctx0700:~# getenforce =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>Permissive<br>root@ctx0700:~# sestatu= s<br>SELinux status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 enabled<br>SELinuxfs mount: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0/sys/fs/selinux<br>SELinux root directory: =C2=A0 =C2=A0 =C2= =A0 =C2=A0 /etc/selinux<br>Loaded policy name: =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 mcs<br>Current mode: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 permissive<br>Mode from config file: =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0enforcing<br>Policy MLS status: =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0enabled<br>Policy deny_unknown status: =C2=A0 = =C2=A0 allowed<br>Memory protection checking: =C2=A0 =C2=A0 requested (inse= cure)<br>Max kernel policy version: =C2=A0 =C2=A0 =C2=A031<br></div><div><b= r></div><div>-----henry</div></div><br><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 12:11 PM Michael Radec= ker <<a href=3D"mailto:michaelradecker@xxxxxxxxx" rel=3D"noreferrer" tar= get=3D"_blank">michaelradecker@xxxxxxxxx</a>> wrote:<br></div><blockquot= e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s= olid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">H= enry,<div dir=3D"auto"><br></div><div dir=3D"auto">You can edit /etc/selinu= x/config to state SELINUX=3Denforcing</div><div dir=3D"auto"><br></div><div= dir=3D"auto">When you reboot, your system will be enforcing SELinux polici= es and it will persist.=C2=A0 I'm also including=C2=A0a link to Red Hat= documentation regarding this topic.</div></div><div dir=3D"ltr"><br></div>= <div dir=3D"ltr"><a href=3D"https://access.redhat.com/documentation/en-us/r= ed_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-mo= des_using-selinux" rel=3D"noreferrer" target=3D"_blank">https://access.redh= at.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/ch= anging-selinux-states-and-modes_using-selinux</a><br></div><div dir=3D"ltr"= ><br></div>-Mike<div><br></div><div><br><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang &= lt;<a href=3D"mailto:henryzhang62@xxxxxxxxx" rel=3D"noreferrer" target=3D"_= blank">henryzhang62@xxxxxxxxx</a>> wrote:<br></div><blockquote class=3D"= gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20= 4,204,204);padding-left:1ex"><div dir=3D"ltr">Hi folks,<div><br></div><div>= setenforce allows users to swap selinux mode between enforcing and permissi= ve.=C2=A0<br>If I want my selinux to stay in enforcing mode forever so that= nobody is able to interfere with my selinux.</div><div><br></div><div>What= should I do?</div><div><br></div><div>Thanks.</div><div><br></div><div>---= henry</div></div> _______________________________________________<br> selinux mailing list -- <a href=3D"mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx" = rel=3D"noreferrer" target=3D"_blank">selinux@xxxxxxxxxxxxxxxxxxxxxxx</a><br= > To unsubscribe send an email to <a href=3D"mailto:selinux-leave@lists.fedor= aproject.org" rel=3D"noreferrer" target=3D"_blank">selinux-leave@xxxxxxxxxx= raproject.org</a><br> Fedora Code of Conduct: <a href=3D"https://docs.fedoraproject.org/en-US/pro= ject/code-of-conduct/" rel=3D"noreferrer noreferrer" target=3D"_blank">http= s://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br> List Guidelines: <a href=3D"https://fedoraproject.org/wiki/Mailing_list_gui= delines" rel=3D"noreferrer noreferrer" target=3D"_blank">https://fedoraproj= ect.org/wiki/Mailing_list_guidelines</a><br> List Archives: <a href=3D"https://lists.fedoraproject.org/archives/list/sel= inux@xxxxxxxxxxxxxxxxxxxxxxx" rel=3D"noreferrer noreferrer" target=3D"_blan= k">https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec= t.org</a><br> Do not reply to spam, report it: <a href=3D"https://pagure.io/fedora-infras= tructure/new_issue" rel=3D"noreferrer noreferrer" target=3D"_blank">https:/= /pagure.io/fedora-infrastructure/new_issue</a><br> </blockquote></div></div></div> </blockquote></div> </blockquote></div> </blockquote></div> --00000000000009fd5905f44b1e44-- ------------------------------ Subject: Digest Footer _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ------------------------------ End of selinux Digest, Vol 221, Issue 1 *************************************** _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue