Hello,
Setting secure_mode_policyload works as expected and I can reproduce what I posted last time. If you can see different behaviour, it probably means some other changes were made on your system which have this effect.
For changes on multiple systems, you can use e. g. semanage export/import or linux-system-roles.
On Sat, Feb 11, 2023 at 2:01 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Sorry, I should use sudo su. But I still can make change in Fedora:
[root@fedora lib]# setsebool secure_mode_policyload on
[root@fedora lib]# setsebool secure_mode_policyload off
[root@fedora lib]# setenforce 0
[root@fedora lib]#On Fri, Feb 10, 2023 at 4:17 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Zdenek,This is what I get from my fedora 37 (VMbox):
[henryzhang@fedora ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode
ValueError: SELinux policy is not managed or store cannot be accessed.
[henryzhang@fedora ~]$ getenforce
Enforcing
[henryzhang@fedora ~]$ setenforce 0setenforce: security_setenforce() failed: Permission deniedLooks like Fedora already enforced it.What is wrong with my own SELinux?---HenryOn Fri, Feb 10, 2023 at 4:04 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours:
root@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
root@ctx0700:~# semanage boolean -l | grep secure_mode
secure_mode (off , off) Allow secure to mode
secure_mode_insmod (off , off) Allow secure to mode insmod
secure_mode_policyload (off , off) Allow secure to mode policyload
root@ctx0700:~# setsebool secure_mode_policyload on
root@ctx0700:~# setsebool secure_mode_policyload off
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive----henryOn Fri, Feb 10, 2023 at 2:42 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Zdenek,Thanks for the information.Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?---henryOn Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela <zpytela@xxxxxxxxxx> wrote:Henry,Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:f37# semanage boolean -l | grep secure_mode
secure_mode (off , off) disallow programs, such as newrole, from transitionin
g to administrative user domains.
secure_mode_insmod (off , off) Disable kernel module loading.
secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi
ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r
eboot to set it back.f37# setsebool secure_mode_policyload on
f37# setsebool secure_mode_policyload off
Could not change active booleans: Permission deniedf37# setenforce 0
setenforce: setenforce() failedWith the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Simon,Would you please tell me how to make it happen?---henry_______________________________________________On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde <ssekidde@xxxxxxxxxx> wrote:Henry,With SELinux you can confine the root user and enable the secure_mode_policyload boolean.Kind Regards,On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:Henry,The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.-Mike_______________________________________________On Thu, Feb 9, 2023, 12:40 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Mike,setenforce can change mode. See:root@ctx0700:~# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcingroot@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31
root@ctx0700:~# setenforce 0
root@ctx0700:~# getenforce
Permissive
root@ctx0700:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31-----henryOn Thu, Feb 9, 2023 at 12:11 PM Michael Radecker <michaelradecker@xxxxxxxxx> wrote:Henry,You can edit /etc/selinux/config to state SELINUX=enforcingWhen you reboot, your system will be enforcing SELinux policies and it will persist. I'm also including a link to Red Hat documentation regarding this topic.-MikeOn Thu, Feb 9, 2023 at 11:58 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Hi folks,_______________________________________________setenforce allows users to swap selinux mode between enforcing and permissive.
If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux.What should I do?Thanks.---henry
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--Simon Sekidde
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek PytelaSecurity SELinux team
--
Zdenek Pytela
Security SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue