[resolved] selinux disables its self
[resolved] selinux disables its self
Everyday at around 1:40 to 1:55 selinux disables its self. I've checked crontab and job and don't see anything that would obviously disable selinux. I'm kind of stumped as to what is going on. I've tried rolling back the kernel, and the logs aren't real helpful. I'm wondering if anyone has seen something like this and or might have an idea of something to try.
Last edited by ant2ne on 2017/06/29 19:22:30, edited 1 time in total.
Re: selinux disables its self
That looks like either a hidden feature, or you have been hacked.ant2ne wrote:Everyday at around 1:40 to 1:55 selinux disables its self.
Re: selinux disables its self
Do you mean disabled? Or permissive?
It's not possible to disable selinux on the fly without a reboot. It is possible to go to permissive mode. What do you get from grep enforcing /var/log/audit/audit.log ?
It's not possible to disable selinux on the fly without a reboot. It is possible to go to permissive mode. What do you get from grep enforcing /var/log/audit/audit.log ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: selinux disables its self
I highly doubt I've been hacked due to the other layers of protection on this server. It doesn't even have internet access.
permissive, not disabled. Sorry.
I see entries similar to the following which implies something is turning it off and then not turning it back on.
root@server:/var/log/audit# grep enforcing audit.log
type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816
I will continue to dig deeper maybe there is something that doesn't belong in a script somewhere.
Oddly enough it hasn't done it again since posting this. So stay tuned.
permissive, not disabled. Sorry.
I see entries similar to the following which implies something is turning it off and then not turning it back on.
root@server:/var/log/audit# grep enforcing audit.log
type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816
I will continue to dig deeper maybe there is something that doesn't belong in a script somewhere.
Oddly enough it hasn't done it again since posting this. So stay tuned.
Re: selinux disables its self
Someone with auid 1009 ran setenforce twice, once on 2017-06-28 21:21:48 to put it enforcing then again 1.3s later to put it permissive.type=MAC_STATUS msg=audit(1498681308.673:154292): enforcing=0 old_enforcing=1 auid=1009 ses=3816
type=MAC_STATUS msg=audit(1498681309.977:154293): enforcing=1 old_enforcing=0 auid=1009 ses=3816
Run getent passwd 1009 if you don't already know who uid 1009 is.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: selinux disables its self
Figured it out guys, Thanks. It was a script running from a place that I wasn't expecting. I thought I had disabled it but apparently not. The auid hint did help.