Linux Archive

Linux Archive (
-   Fedora SELinux Support (
-   -   Blocking change to permissive (

Daniel J Walsh 02-22-2012 05:33 PM

Blocking change to permissive
Hash: SHA1

On 02/22/2012 12:34 PM, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a
> setting in system-config-selinux) that would block root from using
> setenforce to change from enforcing to permissive mode.
> I can't seem to find it now on F17. I haven't figured out the
> correct combo to find this via google.
> I tested the secure_mode boolean, but that didn't appear to work.
> Nothing else in the list looked like it would block changing to
> permisive mode.
> Is this setting gone now? If not can someone point me to what it is
> or documentation about it?
> Thanks. -- selinux mailing list
You need to turn off unconfined_t user to make this work, especially
as root, and then use sysadm_t.

# semanage boolean -l | grep secure
secure_mode (off , off) disallow programs, such
as newrole, from transitioning to administrative user domains.
secure_mode_policyload (off , off) prevent all confined
domains from loading policy, setting enforcing mode, and changing
boolean values. Set this to true and you have to reboot to set it back
secure_mode_insmod (off , off) disallow programs and
users from transitioning to insmod domain.

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

selinux mailing list

Bruno Wolff III 02-22-2012 05:46 PM

Blocking change to permissive
On Wed, Feb 22, 2012 at 13:33:51 -0500,
Daniel J Walsh <> wrote:
> You need to turn off unconfined_t user to make this work, especially
> as root, and then use sysadm_t.

Thanks for that addendum. You saved me from asking a followup question later.
I have some reasons to look at confined users both at home and work. I don't
know if we'll want to turn on secure_mode_policyload yet, but wanted to
look at doing that.
selinux mailing list

All times are GMT. The time now is 12:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.