On Fri, Jan 11, 2008 at 04:16:21PM -0500, Stephen Smalley wrote:
On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote:
> Is there any way to tell from the audit log or elsewhere when
> someone/something changed SELinux from enforcing to permissive or vice
> versa?
Look for MAC_STATUS records in the audit log, e.g.
/sbin/ausearch -m MAC_STATUS
These include changes to enforcing mode, with the enforcing= and
old_enforcing= values.
This doesn't work apparently:
#cat /etc/fedora-release
Fedora release 8 (Werewolf)
#ausearch -m MAC_STATUS
<no matches>
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
#setenforce 1
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
[root@gkar 17:09:19 /var/log/audit]#ausearch -m MAC_STATUS
<no matches>
#setenforce 0
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
#ausearch -m MAC_STATUS
<no matches>