Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   audit log for "setenforce" changes? (http://www.linux-archive.org/fedora-selinux-support/35127-audit-log-setenforce-changes.html)

Chuck Anderson 01-11-2008 08:06 PM

audit log for "setenforce" changes?
 
Is there any way to tell from the audit log or elsewhere when
someone/something changed SELinux from enforcing to permissive or vice
versa?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 01-11-2008 08:16 PM

audit log for "setenforce" changes?
 
On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote:
> Is there any way to tell from the audit log or elsewhere when
> someone/something changed SELinux from enforcing to permissive or vice
> versa?

Look for MAC_STATUS records in the audit log, e.g.
/sbin/ausearch -m MAC_STATUS

These include changes to enforcing mode, with the enforcing= and
old_enforcing= values.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Chuck Anderson 01-11-2008 09:10 PM

audit log for "setenforce" changes?
 
On Fri, Jan 11, 2008 at 04:16:21PM -0500, Stephen Smalley wrote:
>
> On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote:
> > Is there any way to tell from the audit log or elsewhere when
> > someone/something changed SELinux from enforcing to permissive or vice
> > versa?
>
> Look for MAC_STATUS records in the audit log, e.g.
> /sbin/ausearch -m MAC_STATUS
>
> These include changes to enforcing mode, with the enforcing= and
> old_enforcing= values.

This doesn't work apparently:

#cat /etc/fedora-release
Fedora release 8 (Werewolf)

#ausearch -m MAC_STATUS
<no matches>
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
#setenforce 1
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
[root@gkar 17:09:19 /var/log/audit]#ausearch -m MAC_STATUS
<no matches>
#setenforce 0
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
#ausearch -m MAC_STATUS
<no matches>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Eric Paris 01-12-2008 12:37 PM

audit log for "setenforce" changes?
 
On Fri, 2008-01-11 at 17:10 -0500, Chuck Anderson wrote:
> On Fri, Jan 11, 2008 at 04:16:21PM -0500, Stephen Smalley wrote:
> >
> > On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote:
> > > Is there any way to tell from the audit log or elsewhere when
> > > someone/something changed SELinux from enforcing to permissive or vice
> > > versa?
> >
> > Look for MAC_STATUS records in the audit log, e.g.
> > /sbin/ausearch -m MAC_STATUS
> >
> > These include changes to enforcing mode, with the enforcing= and
> > old_enforcing= values.
>
> This doesn't work apparently:
>
> #cat /etc/fedora-release
> Fedora release 8 (Werewolf)
>
> #ausearch -m MAC_STATUS
> <no matches>
> #sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
> #setenforce 1
> #sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
> [root@gkar 17:09:19 /var/log/audit]#ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
> #ausearch -m MAC_STATUS
> <no matches>

Do you have auditd running? If not look in dmesg or /var/log/messages
instead of ausearch because it seems to be working fine for me....

[root@localhost ~]# cat /etc/fedora-release
Fedora release 8 (Werewolf)
[root@localhost ~]# setenforce 1
[root@localhost ~]# ausearch -m MAC_STATUS
----
time->Sat Jan 12 08:33:04 2008
type=SYSCALL msg=audit(1200144784.891:24): arch=40000003 syscall=4
success=yes exit=1 a0=3 a1=bf83f1e4 a2=1 a3=bf83f1e4 items=0 ppid=3155
pid=3394 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_STATUS msg=audit(1200144784.891:24): enforcing=0
old_enforcing=1 auid=500
----
time->Sat Jan 12 08:33:39 2008
type=SYSCALL msg=audit(1200144819.882:26): arch=40000003 syscall=4
success=yes exit=1 a0=3 a1=bfb534f4 a2=1 a3=bfb534f4 items=0 ppid=3155
pid=3399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_STATUS msg=audit(1200144819.882:26): enforcing=1
old_enforcing=0 auid=500
[root@localhost ~]#



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Chuck Anderson 01-14-2008 04:35 PM

audit log for "setenforce" changes?
 
On Sat, Jan 12, 2008 at 08:37:04AM -0500, Eric Paris wrote:
> Do you have auditd running? If not look in dmesg or /var/log/messages
> instead of ausearch because it seems to be working fine for me....

Yes, I do have auditd running.

#service auditd status
auditd (pid 2523) is running...
#service rsyslog status
rsyslogd (pid 19658) is running...
rklogd (pid 19664) is running...
#ausearch -m MAC_STATUS
<no matches>
#setenforce 0
#ausearch -m MAC_STATUS
<no matches>
#setenforce 1
#ausearch -m MAC_STATUS
<no matches>
#setenforce 0
#ausearch -m MAC_STATUS
<no matches>
#grep setenforce /var/log/messages
#grep setenforce /var/log/syslog
#grep setenforce /var/log/secure
#dmesg|grep setenforce

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Eric Paris 01-14-2008 04:46 PM

audit log for "setenforce" changes?
 
hmmm, are you getting any audit messages? Maybe a long time back your
ran out of disk space and auditd stopped logging? If you service auditd
restart and it can't log for some reason it should tell you
in /var/log/messages...

maybe auditd is turned off? what do you get from auditctl -s ?? is it
enabled? maybe you ran auditctl -e 0 at some time?

assuming audit isn't running the message in dmesg looks like:
type=1404 audit(1200447974.622:247): enforcing=0 old_enforcing=1
auid=4294967295 ses=4294967295

and the corresponding /var/log/messages:
Jan 15 20:46:14 dhcp231-146 kernel: type=1404 audit(1200447974.622:247):
enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295

start telling me about all of your versions, are they all stock or did
you build some of these parts yourself. Because I can't find a way to
reproduce the problem to fix it....

-Eric

On Mon, 2008-01-14 at 12:35 -0500, Chuck Anderson wrote:
> On Sat, Jan 12, 2008 at 08:37:04AM -0500, Eric Paris wrote:
> > Do you have auditd running? If not look in dmesg or /var/log/messages
> > instead of ausearch because it seems to be working fine for me....
>
> Yes, I do have auditd running.
>
> #service auditd status
> auditd (pid 2523) is running...
> #service rsyslog status
> rsyslogd (pid 19658) is running...
> rklogd (pid 19664) is running...
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 1
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #ausearch -m MAC_STATUS
> <no matches>
> #grep setenforce /var/log/messages
> #grep setenforce /var/log/syslog
> #grep setenforce /var/log/secure
> #dmesg|grep setenforce
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 01-14-2008 04:48 PM

audit log for "setenforce" changes?
 
On Mon, 2008-01-14 at 12:35 -0500, Chuck Anderson wrote:
> On Sat, Jan 12, 2008 at 08:37:04AM -0500, Eric Paris wrote:
> > Do you have auditd running? If not look in dmesg or /var/log/messages
> > instead of ausearch because it seems to be working fine for me....
>
> Yes, I do have auditd running.
>
> #service auditd status
> auditd (pid 2523) is running...
> #service rsyslog status
> rsyslogd (pid 19658) is running...
> rklogd (pid 19664) is running...
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 1
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #ausearch -m MAC_STATUS
> <no matches>
> #grep setenforce /var/log/messages
> #grep setenforce /var/log/syslog
> #grep setenforce /var/log/secure
> #dmesg|grep setenforce

kernel version?
audit version?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Chuck Anderson 01-14-2008 05:31 PM

audit log for "setenforce" changes?
 
On Mon, Jan 14, 2008 at 12:46:52PM -0500, Eric Paris wrote:
> hmmm, are you getting any audit messages?

It appears that the last message I got was on Dec 12:

#ausearch -m AVC -i | tail -1
type=AVC msg=audit(12/12/2007 06:05:58.434:68533739) : avc: denied {
getattr } for pid=31687 comm=named path=/var/log/named/queries
dev=dm-3 ino=10944781 scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file


> Maybe a long time back your
> ran out of disk space and auditd stopped logging?

I don't think I ran out of space:

#df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-root
39G 301M 37G 1% /
/dev/sda2 494M 32M 438M 7% /boot
tmpfs 1.5G 0 1.5G 0% /dev/shm
/dev/mapper/VolGroup00-home
97G 9.3G 83G 11% /home
/dev/mapper/VolGroup00-usr
97G 1.3G 91G 2% /usr
/dev/mapper/VolGroup00-var
97G 15G 78G 16% /var

> If you service auditd
> restart and it can't log for some reason it should tell you
> in /var/log/messages...
>
> maybe auditd is turned off? what do you get from auditctl -s ?? is it
> enabled? maybe you ran auditctl -e 0 at some time?

#auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=2523 rate_limit=0 backlog_limit=256
lost=0 backlog=0

> assuming audit isn't running the message in dmesg looks like:
> type=1404 audit(1200447974.622:247): enforcing=0 old_enforcing=1
> auid=4294967295 ses=4294967295
>
> and the corresponding /var/log/messages:
> Jan 15 20:46:14 dhcp231-146 kernel: type=1404 audit(1200447974.622:247):
> enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295

#grep enforcing /var/log/messages
#dmesg | grep enforcing

Ok, I restarted auditd:

#service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
#ausearch -m AVC -i | tail -1
type=AVC msg=audit(01/14/2008 13:25:32.903:137848459) : avc: denied
{ getattr } for pid=31227 comm=radiusd
path=/var/log/radius/radius.log dev=dm-3 ino=10944744
scontext=unconfined_u:system_r:radiusd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file

> start telling me about all of your versions, are they all stock or did
> you build some of these parts yourself. Because I can't find a way to
> reproduce the problem to fix it....

Stock Fedora 8 with updates:

#uname -r ; rpm -q kernel audit selinux-policy selinux-policy-targeted setools policycoreutils
2.6.23.8-63.fc8
kernel-2.6.23.8-63.fc8
kernel-2.6.23.9-85.fc8
audit-1.6.2-4.fc8
selinux-policy-3.0.8-73.fc8
selinux-policy-targeted-3.0.8-73.fc8
setools-3.3.1-7.fc8
policycoreutils-2.0.33-2.fc8
policycoreutils-2.0.33-3.fc8

Here is what updated on Dec 12 when the audit logging stopped:

Dec 12 05:59:52 Updated: yum - 3.2.8-2.fc8.noarch
Dec 12 06:05:20 Updated: cyrus-sasl-lib - 2.1.22-8.fc8.i386
Dec 12 06:05:20 Updated: libsepol - 2.0.15-1.fc8.i386
Dec 12 06:05:20 Updated: libsemanage - 2.0.12-2.fc8.i386
Dec 12 06:05:21 Updated: policycoreutils - 2.0.32-2.fc8.i386
Dec 12 06:05:23 Updated: samba-common - 3.0.28-0.fc8.i386
Dec 12 06:05:23 Updated: cyrus-sasl-md5 - 2.1.22-8.fc8.i386
Dec 12 06:05:23 Updated: cyrus-sasl-plain - 2.1.22-8.fc8.i386
Dec 12 06:05:24 Updated: samba-client - 3.0.28-0.fc8.i386
Dec 12 06:05:24 Updated: cyrus-sasl - 2.1.22-8.fc8.i386
Dec 12 06:05:25 Updated: selinux-policy - 3.0.8-64.fc8.noarch
Dec 12 06:06:05 Updated: selinux-policy-targeted - 3.0.8-64.fc8.noarch

I wonder if this is when it somehow got flipped back to enforcing=1
since I had been running with a manual "setenforce 0" since November.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Eric Paris 01-14-2008 05:42 PM

audit log for "setenforce" changes?
 
On Mon, 2008-01-14 at 13:31 -0500, Chuck Anderson wrote:
> On Mon, Jan 14, 2008 at 12:46:52PM -0500, Eric Paris wrote:
> > hmmm, are you getting any audit messages?
>
> It appears that the last message I got was on Dec 12:
>
> #ausearch -m AVC -i | tail -1
> type=AVC msg=audit(12/12/2007 06:05:58.434:68533739) : avc: denied {
> getattr } for pid=31687 comm=named path=/var/log/named/queries
> dev=dm-3 ino=10944781 scontext=system_u:system_r:named_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
>
> > Maybe a long time back your
> > ran out of disk space and auditd stopped logging?
>
> I don't think I ran out of space:
>
> #df -h
> Filesystem Size Used Avail Use% Mounted on
> /dev/mapper/VolGroup00-root
> 39G 301M 37G 1% /
> /dev/sda2 494M 32M 438M 7% /boot
> tmpfs 1.5G 0 1.5G 0% /dev/shm
> /dev/mapper/VolGroup00-home
> 97G 9.3G 83G 11% /home
> /dev/mapper/VolGroup00-usr
> 97G 1.3G 91G 2% /usr
> /dev/mapper/VolGroup00-var
> 97G 15G 78G 16% /var
>
> > If you service auditd
> > restart and it can't log for some reason it should tell you
> > in /var/log/messages...
> >
> > maybe auditd is turned off? what do you get from auditctl -s ?? is it
> > enabled? maybe you ran auditctl -e 0 at some time?
>
> #auditctl -s
> AUDIT_STATUS: enabled=1 flag=1 pid=2523 rate_limit=0 backlog_limit=256
> lost=0 backlog=0
>
> > assuming audit isn't running the message in dmesg looks like:
> > type=1404 audit(1200447974.622:247): enforcing=0 old_enforcing=1
> > auid=4294967295 ses=4294967295
> >
> > and the corresponding /var/log/messages:
> > Jan 15 20:46:14 dhcp231-146 kernel: type=1404 audit(1200447974.622:247):
> > enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
>
> #grep enforcing /var/log/messages
> #dmesg | grep enforcing
>
> Ok, I restarted auditd:
>
> #service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> #ausearch -m AVC -i | tail -1
> type=AVC msg=audit(01/14/2008 13:25:32.903:137848459) : avc: denied
> { getattr } for pid=31227 comm=radiusd
> path=/var/log/radius/radius.log dev=dm-3 ino=10944744
> scontext=unconfined_u:system_r:radiusd_t:s0
> tcontext=system_u:object_r:user_home_t:s0 tclass=file
>
> > start telling me about all of your versions, are they all stock or did
> > you build some of these parts yourself. Because I can't find a way to
> > reproduce the problem to fix it....
>
> Stock Fedora 8 with updates:
>
> #uname -r ; rpm -q kernel audit selinux-policy selinux-policy-targeted setools policycoreutils
> 2.6.23.8-63.fc8
> kernel-2.6.23.8-63.fc8
> kernel-2.6.23.9-85.fc8
> audit-1.6.2-4.fc8
> selinux-policy-3.0.8-73.fc8
> selinux-policy-targeted-3.0.8-73.fc8
> setools-3.3.1-7.fc8
> policycoreutils-2.0.33-2.fc8
> policycoreutils-2.0.33-3.fc8
>
> Here is what updated on Dec 12 when the audit logging stopped:
>
> Dec 12 05:59:52 Updated: yum - 3.2.8-2.fc8.noarch
> Dec 12 06:05:20 Updated: cyrus-sasl-lib - 2.1.22-8.fc8.i386
> Dec 12 06:05:20 Updated: libsepol - 2.0.15-1.fc8.i386
> Dec 12 06:05:20 Updated: libsemanage - 2.0.12-2.fc8.i386
> Dec 12 06:05:21 Updated: policycoreutils - 2.0.32-2.fc8.i386
> Dec 12 06:05:23 Updated: samba-common - 3.0.28-0.fc8.i386
> Dec 12 06:05:23 Updated: cyrus-sasl-md5 - 2.1.22-8.fc8.i386
> Dec 12 06:05:23 Updated: cyrus-sasl-plain - 2.1.22-8.fc8.i386
> Dec 12 06:05:24 Updated: samba-client - 3.0.28-0.fc8.i386
> Dec 12 06:05:24 Updated: cyrus-sasl - 2.1.22-8.fc8.i386
> Dec 12 06:05:25 Updated: selinux-policy - 3.0.8-64.fc8.noarch
> Dec 12 06:06:05 Updated: selinux-policy-targeted - 3.0.8-64.fc8.noarch
>
> I wonder if this is when it somehow got flipped back to enforcing=1
> since I had been running with a manual "setenforce 0" since November

Maybe on policy reload it read /etc/selinux/config and pulled that
setting?

Anyway, you have some serious labeling issue there in /var...

try restorecon -R /var

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 01-14-2008 05:46 PM

audit log for "setenforce" changes?
 
On Mon, 2008-01-14 at 13:42 -0500, Eric Paris wrote:
> On Mon, 2008-01-14 at 13:31 -0500, Chuck Anderson wrote:
> > On Mon, Jan 14, 2008 at 12:46:52PM -0500, Eric Paris wrote:
> > > hmmm, are you getting any audit messages?
> >
> > It appears that the last message I got was on Dec 12:
> >
> > #ausearch -m AVC -i | tail -1
> > type=AVC msg=audit(12/12/2007 06:05:58.434:68533739) : avc: denied {
> > getattr } for pid=31687 comm=named path=/var/log/named/queries
> > dev=dm-3 ino=10944781 scontext=system_u:system_r:named_t:s0
> > tcontext=system_u:object_r:var_log_t:s0 tclass=file
> >
> >
> > > Maybe a long time back your
> > > ran out of disk space and auditd stopped logging?
> >
> > I don't think I ran out of space:
> >
> > #df -h
> > Filesystem Size Used Avail Use% Mounted on
> > /dev/mapper/VolGroup00-root
> > 39G 301M 37G 1% /
> > /dev/sda2 494M 32M 438M 7% /boot
> > tmpfs 1.5G 0 1.5G 0% /dev/shm
> > /dev/mapper/VolGroup00-home
> > 97G 9.3G 83G 11% /home
> > /dev/mapper/VolGroup00-usr
> > 97G 1.3G 91G 2% /usr
> > /dev/mapper/VolGroup00-var
> > 97G 15G 78G 16% /var
> >
> > > If you service auditd
> > > restart and it can't log for some reason it should tell you
> > > in /var/log/messages...
> > >
> > > maybe auditd is turned off? what do you get from auditctl -s ?? is it
> > > enabled? maybe you ran auditctl -e 0 at some time?
> >
> > #auditctl -s
> > AUDIT_STATUS: enabled=1 flag=1 pid=2523 rate_limit=0 backlog_limit=256
> > lost=0 backlog=0
> >
> > > assuming audit isn't running the message in dmesg looks like:
> > > type=1404 audit(1200447974.622:247): enforcing=0 old_enforcing=1
> > > auid=4294967295 ses=4294967295
> > >
> > > and the corresponding /var/log/messages:
> > > Jan 15 20:46:14 dhcp231-146 kernel: type=1404 audit(1200447974.622:247):
> > > enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
> >
> > #grep enforcing /var/log/messages
> > #dmesg | grep enforcing
> >
> > Ok, I restarted auditd:
> >
> > #service auditd restart
> > Stopping auditd: [ OK ]
> > Starting auditd: [ OK ]
> > #ausearch -m AVC -i | tail -1
> > type=AVC msg=audit(01/14/2008 13:25:32.903:137848459) : avc: denied
> > { getattr } for pid=31227 comm=radiusd
> > path=/var/log/radius/radius.log dev=dm-3 ino=10944744
> > scontext=unconfined_u:system_r:radiusd_t:s0
> > tcontext=system_u:object_r:user_home_t:s0 tclass=file
> >
> > > start telling me about all of your versions, are they all stock or did
> > > you build some of these parts yourself. Because I can't find a way to
> > > reproduce the problem to fix it....
> >
> > Stock Fedora 8 with updates:
> >
> > #uname -r ; rpm -q kernel audit selinux-policy selinux-policy-targeted setools policycoreutils
> > 2.6.23.8-63.fc8
> > kernel-2.6.23.8-63.fc8
> > kernel-2.6.23.9-85.fc8
> > audit-1.6.2-4.fc8
> > selinux-policy-3.0.8-73.fc8
> > selinux-policy-targeted-3.0.8-73.fc8
> > setools-3.3.1-7.fc8
> > policycoreutils-2.0.33-2.fc8
> > policycoreutils-2.0.33-3.fc8
> >
> > Here is what updated on Dec 12 when the audit logging stopped:
> >
> > Dec 12 05:59:52 Updated: yum - 3.2.8-2.fc8.noarch
> > Dec 12 06:05:20 Updated: cyrus-sasl-lib - 2.1.22-8.fc8.i386
> > Dec 12 06:05:20 Updated: libsepol - 2.0.15-1.fc8.i386
> > Dec 12 06:05:20 Updated: libsemanage - 2.0.12-2.fc8.i386
> > Dec 12 06:05:21 Updated: policycoreutils - 2.0.32-2.fc8.i386
> > Dec 12 06:05:23 Updated: samba-common - 3.0.28-0.fc8.i386
> > Dec 12 06:05:23 Updated: cyrus-sasl-md5 - 2.1.22-8.fc8.i386
> > Dec 12 06:05:23 Updated: cyrus-sasl-plain - 2.1.22-8.fc8.i386
> > Dec 12 06:05:24 Updated: samba-client - 3.0.28-0.fc8.i386
> > Dec 12 06:05:24 Updated: cyrus-sasl - 2.1.22-8.fc8.i386
> > Dec 12 06:05:25 Updated: selinux-policy - 3.0.8-64.fc8.noarch
> > Dec 12 06:06:05 Updated: selinux-policy-targeted - 3.0.8-64.fc8.noarch
> >
> > I wonder if this is when it somehow got flipped back to enforcing=1
> > since I had been running with a manual "setenforce 0" since November
>
> Maybe on policy reload it read /etc/selinux/config and pulled that
> setting?

load_policy doesn't touch the enforcing status.

> Anyway, you have some serious labeling issue there in /var...
>
> try restorecon -R /var

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 09:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.