Description of problem: According to man anaconda_selinux (and other selinux man pages): [quote] If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. setsebool -P secure_mode_policyload 1 [/quote] Yes, it is half-truth. WHen you turn on this boolean, then you cannot change enforcing mode, but you can disable this boolean. Tak a look at my steps to reproduce. Version-Release number of selected component (if applicable): kernel-3.13.9-200.fc20.x86_64 selinux-policy-targeted-3.12.1-149.fc20.noarch How reproducible: always Steps to Reproduce: [root@asus-ux21e ~]# getsebool -a| grep secure secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off [root@asus-ux21e ~]# getenforce Enforcing [root@asus-ux21e ~]# setenforce 0; getenforce Permissive [root@asus-ux21e ~]# setenforce 1; getenforce Enforcing [root@asus-ux21e ~]# setsebool secure_mode=1 secure_mode_policyload=1 [root@asus-ux21e ~]# setenforce 0; getenforce setenforce: setenforce() failed Enforcing [root@asus-ux21e ~]# setsebool secure_mode_policyload=0 [root@asus-ux21e ~]# setenforce 0; getenforce Permissive Actual results: secure_mode_policyload boolean, allows me to turn it off, when it is turned on. Expected results: It should be denied. Only way to disable, should be reboot system (if boolean was set with -P), and set SELinux in to permissive mode by kernel argument. Additional info:
commit af982988c0cb8445adee9b144f34ee97cfcbb068 fixes this in git.
selinux-policy-3.12.1-166.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-166.fc20
Package selinux-policy-3.12.1-166.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-166.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6584/selinux-policy-3.12.1-166.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-166.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.