From: zhuxian@huawei.com (Zhuxian (Kurt))
Date: Mon, 16 Jan 2017 15:05:53 +0000
Subject: [refpolicy] Why root is allowed to set the selinux to permissive
	mode?
Message-ID: <56064FF08E7DEB4D90553BCB80B78A677901BC3E@SZXEMA509-MBS.china.huawei.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,
Why root is allowed to set the selinux to permissive mode?
If a process running with root account, and it has been compromised and the attacker get the root permission, then it can set selinux to permissive mode and do anything it want.
I think one of the main purpose of SELinux is to restrict the root account's permission. But as discussed above, the root account can bypass all policy just by setting the permissive mode.

I check the refpolicy and get the following:
# semanage login -l
Login Name                SELinux User
...
root                      root
...

#semanage user -l
SELinux User    SELinux Roles
root            staff_r sysadm_r
...

# seinfo --role=sysadm_r -x|grep sysadm_t
         sysadm_t

# sesearch -t security_t -c security -p setenforce --allow
Found 3 semantic av rules:
   allow sysadm_t security_t : security { setenforce setbool } ;
   allow selinux_unconfined_type security_t : security { load_policy setenforce setbool } ;
   allow secadm_t security_t : security { setenforce setbool } ;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170116/f1876f10/attachment.html