On Fri, 2008-01-11 at 17:10 -0500, Chuck Anderson wrote: > On Fri, Jan 11, 2008 at 04:16:21PM -0500, Stephen Smalley wrote: > > > > On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote: > > > Is there any way to tell from the audit log or elsewhere when > > > someone/something changed SELinux from enforcing to permissive or vice > > > versa? > > > > Look for MAC_STATUS records in the audit log, e.g. > > /sbin/ausearch -m MAC_STATUS > > > > These include changes to enforcing mode, with the enforcing= and > > old_enforcing= values. > > This doesn't work apparently: > > #cat /etc/fedora-release > Fedora release 8 (Werewolf) > > #ausearch -m MAC_STATUS > <no matches> > #sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 21 > Policy from config file: targeted > #setenforce 1 > #sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 21 > Policy from config file: targeted > [root@gkar 17:09:19 /var/log/audit]#ausearch -m MAC_STATUS > <no matches> > #setenforce 0 > #sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 21 > Policy from config file: targeted > #ausearch -m MAC_STATUS > <no matches> Do you have auditd running? If not look in dmesg or /var/log/messages instead of ausearch because it seems to be working fine for me.... [root@localhost ~]# cat /etc/fedora-release Fedora release 8 (Werewolf) [root@localhost ~]# setenforce 1 [root@localhost ~]# ausearch -m MAC_STATUS ---- time->Sat Jan 12 08:33:04 2008 type=SYSCALL msg=audit(1200144784.891:24): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf83f1e4 a2=1 a3=bf83f1e4 items=0 ppid=3155 pid=3394 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_STATUS msg=audit(1200144784.891:24): enforcing=0 old_enforcing=1 auid=500 ---- time->Sat Jan 12 08:33:39 2008 type=SYSCALL msg=audit(1200144819.882:26): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfb534f4 a2=1 a3=bfb534f4 items=0 ppid=3155 pid=3399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_STATUS msg=audit(1200144819.882:26): enforcing=1 old_enforcing=0 auid=500 [root@localhost ~]# -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
