On Fri, 2005-09-09 at 12:53 -0400, Stephen Smalley wrote:
On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote:
I can't find where I read this now, could somebody please tell me what I need to add/remove from the strict policy to disallow running of the setenforce command (but still allow changing enforcement mode via rebooting) ?
BTW, if you are going to do that, I assume you also want to remove the ability to reload policy after the initial load? Although that has implications for policy updates...
I hadn't thought of that. There's no point closing the window and leaving the door open, but that may be more hoops that I care to jump through for this application.