[resolved] selinux disables its self

Support for security such as Firewalls and securing linux
ant2ne
Posts: 15
Joined: 2015/01/26 22:14:59

[resolved] selinux disables its self

Postby ant2ne » 2017/06/27 20:37:08

Everyday at around 1:40 to 1:55 selinux disables its self. I've checked crontab and job and don't see anything that would obviously disable selinux. I'm kind of stumped as to what is going on. I've tried rolling back the kernel, and the logs aren't real helpful. I'm wondering if anyone has seen something like this and or might have an idea of something to try.
Last edited by ant2ne on 2017/06/29 19:22:30, edited 1 time in total.

User avatar
InitOrNot
Posts: 109
Joined: 2015/06/10 18:26:51

Re: selinux disables its self

Postby InitOrNot » 2017/06/27 20:54:21

ant2ne wrote:Everyday at around 1:40 to 1:55 selinux disables its self.

That looks like either a hidden feature, or you have been hacked.

User avatar
TrevorH
Forum Moderator
Posts: 20958
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux disables its self

Postby TrevorH » 2017/06/27 21:16:43

Do you mean disabled? Or permissive?

It's not possible to disable selinux on the fly without a reboot. It is possible to go to permissive mode. What do you get from grep enforcing /var/log/audit/audit.log ?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

ant2ne
Posts: 15
Joined: 2015/01/26 22:14:59

Re: selinux disables its self

Postby ant2ne » 2017/06/28 20:27:52

I highly doubt I've been hacked due to the other layers of protection on this server. It doesn't even have internet access.

permissive, not disabled. Sorry.


I see entries similar to the following which implies something is turning it off and then not turning it back on.
root@server:/var/log/audit# grep enforcing audit.log
type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816

I will continue to dig deeper maybe there is something that doesn't belong in a script somewhere.

Oddly enough it hasn't done it again since posting this. So stay tuned.

User avatar
TrevorH
Forum Moderator
Posts: 20958
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux disables its self

Postby TrevorH » 2017/06/28 22:26:49

type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816


Someone with auid 1009 ran setenforce twice, once on 2017-06-28 21:21:48 to put it enforcing then again 1.3s later to put it permissive.

Run getent passwd 1009 if you don't already know who uid 1009 is.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

ant2ne
Posts: 15
Joined: 2015/01/26 22:14:59

Re: selinux disables its self

Postby ant2ne » 2017/06/29 19:22:06

Figured it out guys, Thanks. It was a script running from a place that I wasn't expecting. I thought I had disabled it but apparently not. The auid hint did help.