[Reportbug-maint] Bug#773346: reportbug should provide information about active LSM

Laurent Bigonville bigon at debian.org
Tue Aug 29 12:37:31 UTC 2017 

Ping?


Le 08/11/15 à 23:32, Laurent Bigonville a écrit :
> Le 08/11/15 23:13, Sandro Tosi a écrit :
>> On Sun, Nov 8, 2015 at 9:27 PM, Laurent Bigonville <bigon at debian.org> 
>> wrote:
>>> On Fri, 2 Jan 2015 22:48:26 +0000 Sandro Tosi <morph at debian.org> wrote:
>>>
>>> Hi,
>>>
>>>> Thanks for the reply!
>>> Any progress on this?
>> well
>
> mmh, indeed
>
>>
>> """
>> I'm ok in running sestatus, but it seems this tool is only available
>> if you are using SELinux and thus u have installed the relative
>> binaries, is there a way to identify if SELinux is enabled without
>> using that tool?
>> """
>>
>> and
>>
>> """
>>> But this might be a bit too verbose, and I'm not sure whether the
>>> output is considered stable.
>> I think that would be an important part to clarify, eventually if
>> there is a parsable way to output this information; this will reduce
>> the maintenance cost on reportbug side.
>> """
>
> An other tool which seem to have a stable output is 
> /usr/sbin/getenforce, it outputs either Disabled, Permissive or 
> Enforcing. But again this is a tool that is part of SELinux toolset 
> (selinux-utils package).
>
> Like I said in my previous mail:
>
>> Or we we could also, if don't want to rely on any external tools do
>> the following I guess:
>>
>> - Check /proc/mount to see whether a "selinuxfs" filesystem is mounted
>>    that would indicate that selinux is at least enabled on the machine.
>>    (The mountpoint can, by default, either /sys/fs/selinux or /selinux)
>> - Then a more granular status can be checked by looking in
>>    <mount_point>/enforce, <mount_point>/mls, <mount_point>/deny_unknown.
>>    The files contain 1/0 (true/false) to indicate whether SELinux is in
>>    enforcing mode, using MLS or denying unknown access vectors.
>
> This is basically what getenfoce utility (and libselinux) is doing 
> internally:
>
> https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getenforce.c 
>
> https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/enabled.c#L12 
>
> https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/getenforce.c#L12 
>
>
> Cheers,
>
> Laurent Bigonville

More information about the Reportbug-maint mailing list