disable setenforce

Russell Coker russell at coker.com.au
Sat Sep 17 12:35:29 UTC 2005

On Tuesday 13 September 2005 01:00, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > NB  Setting secure_mode_policyload to default to 1 at boot time will
> > work, but that means policy can only be loaded once at boot (should be
> > able to install new policy and reboot the machine though).  Setting
> > secure_mode_insmod at boot will probably make the boot process fail for
> > all non-trivial machines, the initial values of booleans are set before
> > modules for devices such as Ethernet cards.  Setting secure_mode_insmod
> > after the boot process is completed might be a good idea if you have no
> > plans to use USB or Cardbus/PCMCIA, there have been exploits which relied
> > on the ability to trick the system into loading modules (EG the ptrace
> > exploit).
> Did you attach the wrong patch?  The one you sent doesn't define new
> booleans; it just wraps additional rules with the existing secure_mode
> boolean.

I attached the patch, re-worked it, and then forgot to attach the new patch.

The correct patch is attached to this message.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 3137 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050917/b76ff3b2/attachment.bin>

More information about the fedora-selinux-list mailing list