FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-22-2012, 05:33 PM
Daniel J Walsh
 
Default Blocking change to permissive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2012 12:34 PM, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a
> setting in system-config-selinux) that would block root from using
> setenforce to change from enforcing to permissive mode.
>
> I can't seem to find it now on F17. I haven't figured out the
> correct combo to find this via google.
>
> I tested the secure_mode boolean, but that didn't appear to work.
> Nothing else in the list looked like it would block changing to
> permisive mode.
>
> Is this setting gone now? If not can someone point me to what it is
> or documentation about it?
>
> Thanks. -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
You need to turn off unconfined_t user to make this work, especially
as root, and then use sysadm_t.


# semanage boolean -l | grep secure
secure_mode (off , off) disallow programs, such
as newrole, from transitioning to administrative user domains.
secure_mode_policyload (off , off) prevent all confined
domains from loading policy, setting enforcing mode, and changing
boolean values. Set this to true and you have to reboot to set it back
secure_mode_insmod (off , off) disallow programs and
users from transitioning to insmod domain.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9FNQ8ACgkQrlYvE4MpobPM0gCfe+L1uMnUc5 J93H+uA8fd3LFQ
ttkAoOAyCPvArDqX0+L2GYqsyAN36XqK
=KTaX
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-22-2012, 05:46 PM
Bruno Wolff III
 
Default Blocking change to permissive

On Wed, Feb 22, 2012 at 13:33:51 -0500,
Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> You need to turn off unconfined_t user to make this work, especially
> as root, and then use sysadm_t.

Thanks for that addendum. You saved me from asking a followup question later.
I have some reasons to look at confined users both at home and work. I don't
know if we'll want to turn on secure_mode_policyload yet, but wanted to
look at doing that.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org