disable setenforce

[Stephen Smalley]

On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote:
> I can't find where I read this now, could somebody please tell me what I
> need to add/remove from the strict policy to disallow running of the
> setenforce command (but still allow changing enforcement mode via
> rebooting) ?

BTW, if you are going to do that, I assume you also want to remove the
ability to reload policy after the initial load?  Although that has
implications for policy updates...

-- 
Stephen Smalley
National Security Agency