disable setenforce

Stephen Smalley sds at tycho.nsa.gov
Fri Sep 9 16:41:30 UTC 2005

On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote:
> I can't find where I read this now, could somebody please tell me what I
> need to add/remove from the strict policy to disallow running of the
> setenforce command (but still allow changing enforcement mode via
> rebooting) ?

Typically, the can_setenforce() macro defined in macros/core_macros.te
is used in the policy to allow processes to change /selinux/enforce
(which is how setenforce works).  It is used in macros/admin_macros.te
to allow administrators to do it, and in domains/program/initrc.te to
allow /etc/rc.d/rc.sysinit to do it for emergency recovery situations.
So you could remove its individual occurrences or change the macro
definition to expand to nothing.  You likely also would want to modify
the unconfined_domain definition and update the assertion in assert.te
to check that it isn't granted anywhere else.

Naturally, the problem then becomes dealing with policy updates after
making such a customization, so you might want to consider implementing
this as a policy boolean or tunable and submitting it for inclusion in
the standard policy.  That would let you disable it easily without
having to make invasive changes to the policy.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list