Zdenek,
This is what I get from my fedora 37 (VMbox):[henryzhang@fedora ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ getenforce
Enforcing
[henryzhang@fedora ~]$ setenforce 0
setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours:
root@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
root@ctx0700:~# semanage boolean -l | grep secure_mode
secure_mode (off , off) Allow secure to mode
secure_mode_insmod (off , off) Allow secure to mode insmod
secure_mode_policyload (off , off) Allow secure to mode policyload
root@ctx0700:~# setsebool secure_mode_policyload on
root@ctx0700:~# setsebool secure_mode_policyload off
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive----henryOn Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Zdenek,Thanks for the information.Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?---henryOn Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela@xxxxxxxxxx> wrote:Henry,Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:f37# semanage boolean -l | grep secure_mode
secure_mode (off , off) disallow programs, such as newrole, from transitionin
g to administrative user domains.
secure_mode_insmod (off , off) Disable kernel module loading.
secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r
eboot to set it back.f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission deniedf37# setenforce 0
setenforce: setenforce() failedWith the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Simon,Would you please tell me how to make it happen?---henry_______________________________________________On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde@xxxxxxxxxx> wrote:Henry,With SELinux you can confine the root user and enable the secure_mode_policyload boolean.Kind Regards,On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:Henry,The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.-Mike_______________________________________________On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Mike,setenforce can change mode. See:root@ctx0700:~# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcingroot@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive
root@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31-----henryOn Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:Henry,You can edit /etc/selinux/config to state SELINUX=enforcingWhen you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.-MikeOn Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Hi folks,_______________________________________________setenforce allows users to swap selinux mode between enforcing and permissive.
If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.What should I do?Thanks.---henry
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--Simon Sekidde
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek PytelaSecurity SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
