audit log for "setenforce" changes?

Mon Jan 14 17:35:32 UTC 2008

On Sat, Jan 12, 2008 at 08:37:04AM -0500, Eric Paris wrote:
> Do you have auditd running?  If not look in dmesg or /var/log/messages
> instead of ausearch because it seems to be working fine for me....

Yes, I do have auditd running.

#service auditd status
auditd (pid 2523) is running...
#service rsyslog status
rsyslogd (pid 19658) is running...
rklogd (pid 19664) is running...
#ausearch  -m MAC_STATUS
<no matches>
#setenforce 0
#ausearch -m MAC_STATUS
<no matches>
#setenforce 1
#ausearch -m MAC_STATUS
<no matches>
#setenforce 0
#ausearch -m MAC_STATUS
<no matches>
#grep setenforce /var/log/messages
#grep setenforce /var/log/syslog
#grep setenforce /var/log/secure
#dmesg|grep setenforce