Re: get rid of setenforce

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Zdenek,

This is what I get from my fedora 37 (VMbox):
[henryzhang@fedora ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ getenforce
Enforcing
[henryzhang@fedora ~]$ setenforce 0
setenforce:  security_setenforce() failed:  Permission denied

Looks like Fedora already enforced it.

What is wrong with my own SELinux?

---Henry

On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Zdenek,

I have my own machine with SELInux enabled. But SELinux info is different from yours:
root@ctx0700:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31
root@ctx0700:~# semanage boolean -l | grep secure_mode
secure_mode                    (off  ,  off)  Allow secure to mode
secure_mode_insmod             (off  ,  off)  Allow secure to mode insmod
secure_mode_policyload         (off  ,  off)  Allow secure to mode policyload
root@ctx0700:~# setsebool secure_mode_policyload on
root@ctx0700:~# setsebool secure_mode_policyload off
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive


----henry

On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Zdenek,

Thanks for the information.
Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?

---henry

On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela@xxxxxxxxxx> wrote:
Henry,

Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:

f37# semanage boolean -l | grep secure_mode
secure_mode                    (off  ,  off)  disallow programs, such as newrole, from transitionin
g to administrative user domains.
secure_mode_insmod             (off  ,  off)  Disable kernel module loading.
secure_mode_policyload         (off  ,  off)  Boolean to determine whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values.  Set this to true and you have to r
eboot to set it back.
f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission denied
f37# setenforce 0
setenforce:  setenforce() failed

With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)


On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Simon,

Would you please tell me how to make it happen?

---henry

On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde@xxxxxxxxxx> wrote:
Henry, 

With SELinux you can confine the root user and enable the secure_mode_policyload boolean. 

Kind Regards, 

On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:
Henry, 

The setenforce command switches SELinux temporarily.  To make it persist, change the /etc/selinux/config file and reboot.


-Mike

On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Mike,

setenforce can change mode. See:

root@ctx0700:~# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing

root@ctx0700:~# sestatus                                                                                                                                              
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31

root@ctx0700:~# setenforce 0                                                                                                                                          
root@ctx0700:~# getenforce                                                                                                                                            
Permissive
root@ctx0700:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31

-----henry

On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:
Henry,

You can edit /etc/selinux/config to state SELINUX=enforcing

When you reboot, your system will be enforcing SELinux policies and it will persist.  I'm also including a link to Red Hat documentation regarding this topic.


-Mike


On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Hi folks,

setenforce allows users to swap selinux mode between enforcing and permissive. 
If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.

What should I do?

Thanks.

---henry
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Simon Sekidde

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux