audit log for "setenforce" changes?

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 14 18:46:17 UTC 2008 

On Mon, 2008-01-14 at 13:42 -0500, Eric Paris wrote:
> On Mon, 2008-01-14 at 13:31 -0500, Chuck Anderson wrote:
> > On Mon, Jan 14, 2008 at 12:46:52PM -0500, Eric Paris wrote:
> > > hmmm, are you getting any audit messages?
> > 
> > It appears that the last message I got was on Dec 12:
> > 
> > #ausearch -m AVC -i | tail -1
> > type=AVC msg=audit(12/12/2007 06:05:58.434:68533739) : avc:  denied  { 
> > getattr } for  pid=31687 comm=named path=/var/log/named/queries 
> > dev=dm-3 ino=10944781 scontext=system_u:system_r:named_t:s0 
> > tcontext=system_u:object_r:var_log_t:s0 tclass=file 
> > 
> > 
> > >  Maybe a long time back your
> > >  ran out of disk space and auditd stopped logging?  
> > 
> > I don't think I ran out of space:
> > 
> > #df -h
> > Filesystem            Size  Used Avail Use% Mounted on
> > /dev/mapper/VolGroup00-root
> >                        39G  301M   37G   1% /
> > /dev/sda2             494M   32M  438M   7% /boot
> > tmpfs                 1.5G     0  1.5G   0% /dev/shm
> > /dev/mapper/VolGroup00-home
> >                        97G  9.3G   83G  11% /home
> > /dev/mapper/VolGroup00-usr
> >                        97G  1.3G   91G   2% /usr
> > /dev/mapper/VolGroup00-var
> >                        97G   15G   78G  16% /var
> > 
> > > If you service auditd
> > > restart and it can't log for some reason it should tell you
> > > in /var/log/messages...
> > > 
> > > maybe auditd is turned off?  what do you get from auditctl -s ??  is it
> > > enabled?  maybe you ran auditctl -e 0 at some time?
> > 
> > #auditctl -s
> > AUDIT_STATUS: enabled=1 flag=1 pid=2523 rate_limit=0 backlog_limit=256 
> > lost=0 backlog=0
> > 
> > > assuming audit isn't running the message in dmesg looks like:
> > > type=1404 audit(1200447974.622:247): enforcing=0 old_enforcing=1
> > > auid=4294967295 ses=4294967295
> > > 
> > > and the corresponding /var/log/messages:
> > > Jan 15 20:46:14 dhcp231-146 kernel: type=1404 audit(1200447974.622:247):
> > > enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
> > 
> > #grep enforcing /var/log/messages
> > #dmesg | grep enforcing
> > 
> > Ok, I restarted auditd:
> > 
> > #service auditd restart
> > Stopping auditd:                                           [  OK  ]
> > Starting auditd:                                           [  OK  ]
> > #ausearch -m AVC -i | tail -1
> > type=AVC msg=audit(01/14/2008 13:25:32.903:137848459) : avc:  denied  
> > { getattr } for  pid=31227 comm=radiusd 
> > path=/var/log/radius/radius.log dev=dm-3 ino=10944744 
> > scontext=unconfined_u:system_r:radiusd_t:s0 
> > tcontext=system_u:object_r:user_home_t:s0 tclass=file 
> > 
> > > start telling me about all of your versions, are they all stock or did
> > > you build some of these parts yourself.  Because I can't find a way to
> > > reproduce the problem to fix it....
> > 
> > Stock Fedora 8 with updates:
> > 
> > #uname -r ; rpm -q kernel audit selinux-policy selinux-policy-targeted setools policycoreutils
> > 2.6.23.8-63.fc8
> > kernel-2.6.23.8-63.fc8
> > kernel-2.6.23.9-85.fc8
> > audit-1.6.2-4.fc8
> > selinux-policy-3.0.8-73.fc8
> > selinux-policy-targeted-3.0.8-73.fc8
> > setools-3.3.1-7.fc8
> > policycoreutils-2.0.33-2.fc8
> > policycoreutils-2.0.33-3.fc8
> > 
> > Here is what updated on Dec 12 when the audit logging stopped:
> > 
> > Dec 12 05:59:52 Updated: yum - 3.2.8-2.fc8.noarch
> > Dec 12 06:05:20 Updated: cyrus-sasl-lib - 2.1.22-8.fc8.i386
> > Dec 12 06:05:20 Updated: libsepol - 2.0.15-1.fc8.i386
> > Dec 12 06:05:20 Updated: libsemanage - 2.0.12-2.fc8.i386
> > Dec 12 06:05:21 Updated: policycoreutils - 2.0.32-2.fc8.i386
> > Dec 12 06:05:23 Updated: samba-common - 3.0.28-0.fc8.i386
> > Dec 12 06:05:23 Updated: cyrus-sasl-md5 - 2.1.22-8.fc8.i386
> > Dec 12 06:05:23 Updated: cyrus-sasl-plain - 2.1.22-8.fc8.i386
> > Dec 12 06:05:24 Updated: samba-client - 3.0.28-0.fc8.i386
> > Dec 12 06:05:24 Updated: cyrus-sasl - 2.1.22-8.fc8.i386
> > Dec 12 06:05:25 Updated: selinux-policy - 3.0.8-64.fc8.noarch
> > Dec 12 06:06:05 Updated: selinux-policy-targeted - 3.0.8-64.fc8.noarch
> > 
> > I wonder if this is when it somehow got flipped back to enforcing=1 
> > since I had been running with a manual "setenforce 0" since November
> 
> Maybe on policy reload it read /etc/selinux/config and pulled that
> setting?

load_policy doesn't touch the enforcing status.

> Anyway, you have some serious labeling issue there in /var...
> 
> try restorecon -R /var

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list