There might be a situation when you want to make sure that SElinux is always enabled on your system.
Imagine a situation where you have SElinux policy in place and someone hacks your OS and get root straight away. What he can do then to take a full control of you system is:
setenforce 1
vi /etc/selinux/config
SELINUX=disabled
reboot
With just few steps your entire effort and "security" becomes disabled even without a reboot.
How to prevent from this action?
I written a SElinux policy module which allows your system components to only read and open /etc/config/selinux and prevent from execute'ing /usr/sbin/setenforce.
When you install this module even root won't be able to do any actions to disable SElinux on your system.
The module and compilations steps are below.
[root@nfsec selinux-devel]# cat secpol.te
module secpol 1.0;
type secpol_t;
require {
type selinux_config_t;
type unconfined_t;
type fs_t;
type kernel_t;
type kdumpctl_t;
type lvm_t;
type setfiles_t;
type sshd_t;
type systemd_hostnamed_t;
type udev_t;
type crond_t;
type init_t;
class file { ioctl read getattr lock append open relabelto setattr execute write rename unlink };
class dir { search getattr read relabelto };
class filesystem associate;
}
#============= selinux_config_t ==============
allow selinux_config_t secpol_t:dir { read getattr search };
allow selinux_config_t secpol_t:file { read open getattr };
#============= unconfined_t ==============
allow unconfined_t secpol_t:dir { relabelto read getattr search };
allow unconfined_t secpol_t:file { read open getattr relabelto };
#============= secpol_t ==============
allow secpol_t fs_t:filesystem associate;
#============= init_t ==============
allow init_t secpol_t:file read;
#============= crond_t ==============
allow crond_t secpol_t:file read;
#============= kernel_t ==============
allow kernel_t secpol_t:dir getattr;
allow kernel_t secpol_t:file { getattr read open };
#============= kdumpctl_t ==============
allow kdumpctl_t secpol_t:file { read open };
#============= lvm_t ==============
allow lvm_t secpol_t:file { read open };
#============= setfiles_t ==============
allow setfiles_t secpol_t:file { read open };
#============= sshd_t ==============
allow sshd_t secpol_t:file { read open };
#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t secpol_t:file { read open };
#============= udev_t ==============
allow udev_t secpol_t:file { read open };
cd /usr/src/selinux-devel/
ln -s /usr/share/selinux/devel/Makefile .
checkmodule -M -m -o secpol.mod secpol.te
semodule_package -m secpol.mod -o secpol.pp
semodule -i secpol.pp
chcon -t secpol_t /etc/selinux/config
chcon -t secpol_t /usr/sbin/setenforce
That's it hope you enjoyed it.
[root@nfsec selinux-devel]# echo "">/etc/selinux/config
-bash: /etc/selinux/config: Permission denied
[root@nfsec selinux-devel]# echo "">>/etc/selinux/config
-bash: /etc/selinux/config: Permission denied
[root@nfsec selinux-devel]# setenforce
-bash: /usr/sbin/setenforce: Permission denied
However there is still last option available to change Enforcing to Permissive via:
echo 0 > /sys/fs/selinux/enforce
To disable changing policy completely entirely and after all do the following:
[root@nfsec selinux-devel]# getsebool -a |grep secure
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
[root@nfsec selinux-devel]# setsebool secure_mode_policyload 1
[root@nfsec selinux-devel]# echo 1 > /sys/fs/selinux/enforce
[root@nfsec selinux-devel]# echo 0 > /sys/fs/selinux/enforce
-bash: echo: write error: Permission denied
[root@localhost selinux-devel]# getenforce
Enforcing
You cannot now change SElinux mode to Permissive.
You would need to reboot OS with selinux=0 in grub.