disable setenforce
Stephen Smalley
sds at tycho.nsa.gov
Mon Sep 12 15:00:35 UTC 2005
On Mon, 2005-09-12 at 16:52 +1000, Russell Coker wrote:
> I've attached a patch against the latest rawhide policy (which should also
> work against the latest FC4 policy).
>
> This patch adds a new boolean named secure_mode_policyload to cover loading
> policy, setting boolean states, and setting enforcing mode. It also adds a
> new boolean named secure_mode_insmod to control module loading.
>
> NB Setting secure_mode_policyload to default to 1 at boot time will work, but
> that means policy can only be loaded once at boot (should be able to install
> new policy and reboot the machine though). Setting secure_mode_insmod at
> boot will probably make the boot process fail for all non-trivial machines,
> the initial values of booleans are set before modules for devices such as
> Ethernet cards. Setting secure_mode_insmod after the boot process is
> completed might be a good idea if you have no plans to use USB or
> Cardbus/PCMCIA, there have been exploits which relied on the ability to trick
> the system into loading modules (EG the ptrace exploit).
Did you attach the wrong patch? The one you sent doesn't define new
booleans; it just wraps additional rules with the existing secure_mode
boolean.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list