Page 1 of 1

[resolved] selinux disables its self

Posted: 2017/06/27 20:37:08
by ant2ne
Everyday at around 1:40 to 1:55 selinux disables its self. I've checked crontab and job and don't see anything that would obviously disable selinux. I'm kind of stumped as to what is going on. I've tried rolling back the kernel, and the logs aren't real helpful. I'm wondering if anyone has seen something like this and or might have an idea of something to try.

Re: selinux disables its self

Posted: 2017/06/27 20:54:21
by InitOrNot
ant2ne wrote:Everyday at around 1:40 to 1:55 selinux disables its self.
That looks like either a hidden feature, or you have been hacked.

Re: selinux disables its self

Posted: 2017/06/27 21:16:43
by TrevorH
Do you mean disabled? Or permissive?

It's not possible to disable selinux on the fly without a reboot. It is possible to go to permissive mode. What do you get from grep enforcing /var/log/audit/audit.log ?

Re: selinux disables its self

Posted: 2017/06/28 20:27:52
by ant2ne
I highly doubt I've been hacked due to the other layers of protection on this server. It doesn't even have internet access.

permissive, not disabled. Sorry.


I see entries similar to the following which implies something is turning it off and then not turning it back on.
root@server:/var/log/audit# grep enforcing audit.log
type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816

I will continue to dig deeper maybe there is something that doesn't belong in a script somewhere.

Oddly enough it hasn't done it again since posting this. So stay tuned.

Re: selinux disables its self

Posted: 2017/06/28 22:26:49
by TrevorH
type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816
Someone with auid 1009 ran setenforce twice, once on 2017-06-28 21:21:48 to put it enforcing then again 1.3s later to put it permissive.

Run getent passwd 1009 if you don't already know who uid 1009 is.

Re: selinux disables its self

Posted: 2017/06/29 19:22:06
by ant2ne
Figured it out guys, Thanks. It was a script running from a place that I wasn't expecting. I thought I had disabled it but apparently not. The auid hint did help.