disable setenforce

[Russell Coker]

On Saturday 10 September 2005 02:33, Todd Merritt <tmerritt at email.arizona.edu> 
wrote:
> I can't find where I read this now, could somebody please tell me what I
> need to add/remove from the strict policy to disallow running of the
> setenforce command (but still allow changing enforcement mode via
> rebooting) ?

I've attached a patch against the latest rawhide policy (which should also 
work against the latest FC4 policy).

This patch adds a new boolean named secure_mode_policyload to cover loading 
policy, setting boolean states, and setting enforcing mode.  It also adds a 
new boolean named secure_mode_insmod to control module loading.

NB  Setting secure_mode_policyload to default to 1 at boot time will work, but 
that means policy can only be loaded once at boot (should be able to install 
new policy and reboot the machine though).  Setting secure_mode_insmod at 
boot will probably make the boot process fail for all non-trivial machines, 
the initial values of booleans are set before modules for devices such as 
Ethernet cards.  Setting secure_mode_insmod after the boot process is 
completed might be a good idea if you have no plans to use USB or 
Cardbus/PCMCIA, there have been exploits which relied on the ability to trick 
the system into loading modules (EG the ptrace exploit).

We could probably do with more work in this area, but the patch I have 
attached works reasonably well and adds usefully to the secure_mode 
functionality so I believe it's worthy of inclusion.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 1564 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050912/30245eb4/attachment.bin>