audit log for "setenforce" changes?

[Eric Paris]

hmmm, are you getting any audit messages?  Maybe a long time back your
ran out of disk space and auditd stopped logging?  If you service auditd
restart and it can't log for some reason it should tell you
in /var/log/messages...

maybe auditd is turned off?  what do you get from auditctl -s ??  is it
enabled?  maybe you ran auditctl -e 0 at some time?

assuming audit isn't running the message in dmesg looks like:
type=1404 audit(1200447974.622:247): enforcing=0 old_enforcing=1
auid=4294967295 ses=4294967295

and the corresponding /var/log/messages:
Jan 15 20:46:14 dhcp231-146 kernel: type=1404 audit(1200447974.622:247):
enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295

start telling me about all of your versions, are they all stock or did
you build some of these parts yourself.  Because I can't find a way to
reproduce the problem to fix it....

-Eric

On Mon, 2008-01-14 at 12:35 -0500, Chuck Anderson wrote:
> On Sat, Jan 12, 2008 at 08:37:04AM -0500, Eric Paris wrote:
> > Do you have auditd running?  If not look in dmesg or /var/log/messages
> > instead of ausearch because it seems to be working fine for me....
> 
> Yes, I do have auditd running.
> 
> #service auditd status
> auditd (pid 2523) is running...
> #service rsyslog status
> rsyslogd (pid 19658) is running...
> rklogd (pid 19664) is running...
> #ausearch  -m MAC_STATUS
> <no matches>
> #setenforce 0
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 1
> #ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #ausearch -m MAC_STATUS
> <no matches>
> #grep setenforce /var/log/messages
> #grep setenforce /var/log/syslog
> #grep setenforce /var/log/secure
> #dmesg|grep setenforce
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list