On 2/9/23 14:32, Henry Zhang wrote: > If SELinux mode can be set to permissive temporarily so that people can > control the device. > any way to prevent that? But only root can run the setenforce command... I'm not really sure what the value is in trying to stop root from doing this because there is always another way (for example, root user could just update grub to add selinux=0 on kernel command line) -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue