[Reportbug-maint] Bug#773346: reportbug should provide information about active LSM

Laurent Bigonville bigon at debian.org
Sun Nov 8 22:32:48 UTC 2015 

Le 08/11/15 23:13, Sandro Tosi a écrit :
> On Sun, Nov 8, 2015 at 9:27 PM, Laurent Bigonville <bigon at debian.org> wrote:
>> On Fri, 2 Jan 2015 22:48:26 +0000 Sandro Tosi <morph at debian.org> wrote:
>>
>> Hi,
>>
>>> Thanks for the reply!
>> Any progress on this?
> well

mmh, indeed

>
> """
> I'm ok in running sestatus, but it seems this tool is only available
> if you are using SELinux and thus u have installed the relative
> binaries, is there a way to identify if SELinux is enabled without
> using that tool?
> """
>
> and
>
> """
>> But this might be a bit too verbose, and I'm not sure whether the
>> output is considered stable.
> I think that would be an important part to clarify, eventually if
> there is a parsable way to output this information; this will reduce
> the maintenance cost on reportbug side.
> """

An other tool which seem to have a stable output is 
/usr/sbin/getenforce, it outputs either Disabled, Permissive or 
Enforcing. But again this is a tool that is part of SELinux toolset 
(selinux-utils package).

Like I said in my previous mail:

> Or we we could also, if don't want to rely on any external tools do
> the following I guess:
>
> - Check /proc/mount to see whether a "selinuxfs" filesystem is mounted
>    that would indicate that selinux is at least enabled on the machine.
>    (The mountpoint can, by default, either /sys/fs/selinux or /selinux)
> - Then a more granular status can be checked by looking in
>    <mount_point>/enforce, <mount_point>/mls, <mount_point>/deny_unknown.
>    The files contain 1/0 (true/false) to indicate whether SELinux is in
>    enforcing mode, using MLS or denying unknown access vectors.

This is basically what getenfoce utility (and libselinux) is doing 
internally:

https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getenforce.c
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/enabled.c#L12
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/getenforce.c#L12

Cheers,

Laurent Bigonville

More information about the Reportbug-maint mailing list