Zdenek,
This is what I get from my fedora 37 (VMbox): [henryzhang@fedora ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ semanage boolean -l | grep secure_mode ValueError: SELinux policy is not managed or store cannot be accessed. [henryzhang@fedora ~]$ getenforce Enforcing [henryzhang@fedora ~]$ setenforce 0 setenforce: security_setenforce() failed: Permission denied
Looks like Fedora already enforced it.
What is wrong with my own SELinux?
---Henry
On Fri, Feb 10, 2023 at 4:04 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
I have my own machine with SELInux enabled. But SELinux info is different from yours: root@ctx0700:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31 root@ctx0700:~# semanage boolean -l | grep secure_mode secure_mode (off , off) Allow secure to mode secure_mode_insmod (off , off) Allow secure to mode insmod secure_mode_policyload (off , off) Allow secure to mode policyload root@ctx0700:~# setsebool secure_mode_policyload on root@ctx0700:~# setsebool secure_mode_policyload off root@ctx0700:~# setenforce 0 root@ctx0700:~# getenforce Permissive
----henry
On Fri, Feb 10, 2023 at 2:42 PM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Thanks for the information. Is it possible for me to convert those actions into SELinux policy so that I do not have to do the above operation for all machines with SELinux enabled?
---henry
On Fri, Feb 10, 2023 at 1:37 AM Zdenek Pytela zpytela@redhat.com wrote:
Henry,
Enable the boolean as Simon suggested using setsebool. This is also a list of other related booleans:
f37# semanage boolean -l | grep secure_mode secure_mode (off , off) disallow programs, such as newrole, from transitionin g to administrative user domains. secure_mode_insmod (off , off) Disable kernel module loading. secure_mode_policyload (off , off) Boolean to determine whether the system permits loadi ng policy, setting enforcing mode, and changing boolean values. Set this to true and you have to r eboot to set it back. f37# setsebool secure_mode_policyload on f37# setsebool secure_mode_policyload off Could not change active booleans: Permission denied f37# setenforce 0 setenforce: setenforce() failed
With the -P switch, the change will be permanent, so remember to check you have some recovery access to the system before you do it (rescue mode, booting with selinupermissive/disabled etc.)
On Thu, Feb 9, 2023 at 10:35 PM Henry Zhang henryzhang62@gmail.com wrote:
Simon,
Would you please tell me how to make it happen?
---henry
On Thu, Feb 9, 2023 at 1:29 PM Simon Sekidde ssekidde@redhat.com wrote:
Henry,
With SELinux you can confine the root user and enable the secure_mode_policyload boolean.
Kind Regards,
On Thu, Feb 9, 2023 at 4:10 PM Michael Radecker < michaelradecker@gmail.com> wrote:
Henry,
The setenforce command switches SELinux temporarily. To make it persist, change the /etc/selinux/config file and reboot.
-Mike
On Thu, Feb 9, 2023, 12:40 PM Henry Zhang henryzhang62@gmail.com wrote:
> Mike, > > setenforce can change mode. See: > > root@ctx0700:~# cat /etc/selinux/config > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=enforcing > > root@ctx0700:~# sestatus > > > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: mcs > Current mode: enforcing > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: requested (insecure) > Max kernel policy version: 31 > > root@ctx0700:~# setenforce 0 > > > root@ctx0700:~# getenforce > > > Permissive > root@ctx0700:~# sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: mcs > Current mode: permissive > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: requested (insecure) > Max kernel policy version: 31 > > -----henry > > On Thu, Feb 9, 2023 at 12:11 PM Michael Radecker < > michaelradecker@gmail.com> wrote: > >> Henry, >> >> You can edit /etc/selinux/config to state SELINUX=enforcing >> >> When you reboot, your system will be enforcing SELinux policies and >> it will persist. I'm also including a link to Red Hat documentation >> regarding this topic. >> >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... >> >> -Mike >> >> >> On Thu, Feb 9, 2023 at 11:58 AM Henry Zhang henryzhang62@gmail.com >> wrote: >> >>> Hi folks, >>> >>> setenforce allows users to swap selinux mode between enforcing and >>> permissive. >>> If I want my selinux to stay in enforcing mode forever so that >>> nobody is able to interfere with my selinux. >>> >>> What should I do? >>> >>> Thanks. >>> >>> ---henry >>> _______________________________________________ >>> selinux mailing list -- selinux@lists.fedoraproject.org >>> To unsubscribe send an email to >>> selinux-leave@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Simon Sekidde
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela Security SELinux team