On 02/22/2012 12:34 PM, Bruno Wolff III wrote:
> I remember that once apon a time there was a boolean (or at least a
> setting in system-config-selinux) that would block root from using
> setenforce to change from enforcing to permissive mode.
>
> I can't seem to find it now on F17. I haven't figured out the
> correct combo to find this via google.
>
> I tested the secure_mode boolean, but that didn't appear to work.
> Nothing else in the list looked like it would block changing to
> permisive mode.
>
> Is this setting gone now? If not can someone point me to what it is
> or documentation about it?
>
> Thanks. -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
You need to turn off unconfined_t user to make this work, especially
as root, and then use sysadm_t.
# semanage boolean -l | grep secure
secure_mode (off , off) disallow programs, such
as newrole, from transitioning to administrative user domains.
secure_mode_policyload (off , off) prevent all confined
domains from loading policy, setting enforcing mode, and changing
boolean values. Set this to true and you have to reboot to set it back
secure_mode_insmod (off , off) disallow programs and
users from transitioning to insmod domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On Wed, Feb 22, 2012 at 13:33:51 -0500,
Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> You need to turn off unconfined_t user to make this work, especially
> as root, and then use sysadm_t.
Thanks for that addendum. You saved me from asking a followup question later.
I have some reasons to look at confined users both at home and work. I don't
know if we'll want to turn on secure_mode_policyload yet, but wanted to
look at doing that.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Blocking change to permissive
