FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-22-2012, 04:34 PM
Bruno Wolff III
 
Default Blocking change to permissive

I remember that once apon a time there was a boolean (or at least a setting
in system-config-selinux) that would block root from using setenforce to
change from enforcing to permissive mode.

I can't seem to find it now on F17. I haven't figured out the correct
combo to find this via google.

I tested the secure_mode boolean, but that didn't appear to work.
Nothing else in the list looked like it would block changing to
permisive mode.

Is this setting gone now? If not can someone point me to what it is or
documentation about it?

Thanks.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-22-2012, 04:41 PM
Dominick Grift
 
Default Blocking change to permissive

On Wed, 2012-02-22 at 11:34 -0600, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a setting
> in system-config-selinux) that would block root from using setenforce to
> change from enforcing to permissive mode.
>
> I can't seem to find it now on F17. I haven't figured out the correct
> combo to find this via google.

It is secure_mode_policyload

$ getsebool -a | grep secure_mode
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off

$ sesearch --allow -SCT | grep secure_mode_policyload
EF allow can_setenforce security_t : security setenforce ;
[ secure_mode_policyload ]
EF allow can_load_policy security_t : security load_policy ;
[ secure_mode_policyload ]
EF allow can_setenforce security_t : file { ioctl read write getattr
lock append open } ; [ secure_mode_policyload ]
EF allow can_setenforce security_t : dir { ioctl read getattr lock
search open } ; [ secure_mode_policyload ]
EF allow can_setbool boolean_type : security setbool ;
[ secure_mode_policyload ]
EF allow can_setenforce sysfs_t : filesystem getattr ;
[ secure_mode_policyload ]
EF allow can_setenforce sysfs_t : dir { getattr search open } ;
[ secure_mode_policyload ]


> I tested the secure_mode boolean, but that didn't appear to work.
> Nothing else in the list looked like it would block changing to
> permisive mode.
>
> Is this setting gone now? If not can someone point me to what it is or
> documentation about it?
>
> Thanks.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-22-2012, 04:46 PM
Bruno Wolff III
 
Default Blocking change to permissive

On Wed, Feb 22, 2012 at 18:41:22 +0100,
Dominick Grift <dominick.grift@gmail.com> wrote:
> On Wed, 2012-02-22 at 11:34 -0600, Bruno Wolff III wrote:
> > I remember that once apon a time there was a boolean (or at least a setting
> > in system-config-selinux) that would block root from using setenforce to
> > change from enforcing to permissive mode.
> >
> > I can't seem to find it now on F17. I haven't figured out the correct
> > combo to find this via google.
>
> It is secure_mode_policyload

Thanks!
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org