[resolved] selinux disables its self

Support for security such as Firewalls and securing linux
Post Reply
ant2ne
Posts: 23
Joined: 2015/01/26 22:14:59

[resolved] selinux disables its self

Post by ant2ne » 2017/06/27 20:37:08

Everyday at around 1:40 to 1:55 selinux disables its self. I've checked crontab and job and don't see anything that would obviously disable selinux. I'm kind of stumped as to what is going on. I've tried rolling back the kernel, and the logs aren't real helpful. I'm wondering if anyone has seen something like this and or might have an idea of something to try.
Last edited by ant2ne on 2017/06/29 19:22:30, edited 1 time in total.

User avatar
InitOrNot
Posts: 122
Joined: 2015/06/10 18:26:51

Re: selinux disables its self

Post by InitOrNot » 2017/06/27 20:54:21

ant2ne wrote:Everyday at around 1:40 to 1:55 selinux disables its self.
That looks like either a hidden feature, or you have been hacked.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux disables its self

Post by TrevorH » 2017/06/27 21:16:43

Do you mean disabled? Or permissive?

It's not possible to disable selinux on the fly without a reboot. It is possible to go to permissive mode. What do you get from grep enforcing /var/log/audit/audit.log ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ant2ne
Posts: 23
Joined: 2015/01/26 22:14:59

Re: selinux disables its self

Post by ant2ne » 2017/06/28 20:27:52

I highly doubt I've been hacked due to the other layers of protection on this server. It doesn't even have internet access.

permissive, not disabled. Sorry.


I see entries similar to the following which implies something is turning it off and then not turning it back on.
root@server:/var/log/audit# grep enforcing audit.log
type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816

I will continue to dig deeper maybe there is something that doesn't belong in a script somewhere.

Oddly enough it hasn't done it again since posting this. So stay tuned.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux disables its self

Post by TrevorH » 2017/06/28 22:26:49

type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816
Someone with auid 1009 ran setenforce twice, once on 2017-06-28 21:21:48 to put it enforcing then again 1.3s later to put it permissive.

Run getent passwd 1009 if you don't already know who uid 1009 is.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ant2ne
Posts: 23
Joined: 2015/01/26 22:14:59

Re: selinux disables its self

Post by ant2ne » 2017/06/29 19:22:06

Figured it out guys, Thanks. It was a script running from a place that I wasn't expecting. I thought I had disabled it but apparently not. The auid hint did help.

Post Reply