Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode
secure_mode (off , off) disallow programs, such as newrole, from transitionin
g to administrative user domains.
secure_mode_insmod (off , off) Disable kernel module loading.
secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r
eboot to set it back.
secure_mode (off , off) disallow programs, such as newrole, from transitionin
g to administrative user domains.
secure_mode_insmod (off , off) Disable kernel module loading.
secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r
eboot to set it back.
f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission denied
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission denied
f37# setenforce 0
setenforce: setenforce() failed
setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Simon,Would you please tell me how to make it happen?---henry_______________________________________________On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde@xxxxxxxxxx> wrote:Henry,With SELinux you can confine the root user and enable the secure_mode_policyload boolean.Kind Regards,On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:Henry,The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.-Mike_______________________________________________On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Mike,setenforce can change mode. See:root@ctx0700:~# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcingroot@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive
root@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31-----henryOn Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:Henry,You can edit /etc/selinux/config to state SELINUX=enforcingWhen you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.-MikeOn Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Hi folks,_______________________________________________setenforce allows users to swap selinux mode between enforcing and permissive.
If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.What should I do?Thanks.---henry
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--Simon Sekidde
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela
Security SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue