On Fri, Jan 11, 2008 at 04:16:21PM -0500, Stephen Smalley wrote: > > On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote: > > Is there any way to tell from the audit log or elsewhere when > > someone/something changed SELinux from enforcing to permissive or vice > > versa? > > Look for MAC_STATUS records in the audit log, e.g. > /sbin/ausearch -m MAC_STATUS > > These include changes to enforcing mode, with the enforcing= and > old_enforcing= values. This doesn't work apparently: #cat /etc/fedora-release Fedora release 8 (Werewolf) #ausearch -m MAC_STATUS <no matches> #sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: targeted #setenforce 1 #sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted [root@gkar 17:09:19 /var/log/audit]#ausearch -m MAC_STATUS <no matches> #setenforce 0 #sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: targeted #ausearch -m MAC_STATUS <no matches> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
