[DSE-Dev] reportbug should provide information about active LSM

Laurent Bigonville bigon at debian.org
Sun Dec 21 21:46:02 UTC 2014


On Wed, 17 Dec 2014 09:53:15 +0000 u <u at 451f.org> wrote:

> Dear Maintainer,

Hello,
 
> when using an LSM like AppArmor, confined applications can sometimes
> seemingly malfunction.
> 
> Thus, reportbug should report in "System Information" if such an LSM
> is installed and active in the kernel boot options.
> 
> This might help spot bugs which are related to the LSM rather than to
> the package itself more easily.

I agree with that, that might be a valuable information.

The SELinux status should probably also be added in the reports.
SELinux can be disabled, in permissive mode and in enforcing mode. It
might also be interesting to report the name of the policy that is
currently loaded.

There are probably several ways to detect the state of SELinux.

Calling /usr/sbin/sestatus should display several interesting
information:

======
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29
======

But this might be a bit too verbose, and I'm not sure whether the
output is considered stable.

We could call /usr/sbin/selinuxenabled, but this tool doesn't indicate
if we are running in the permissive mode or not. This information is
important to know to see whether SELinux can be blocking something.

Or we we could also, if don't want to rely on any external tools do
the following I guess:

- Check /proc/mount to see whether a "selinuxfs" filesystem is mounted
  that would indicate that selinux is at least enabled on the machine.
  (The mountpoint can, by default, either /sys/fs/selinux or /selinux)
- Then a more granular status can be checked by looking in
  <mount_point>/enforce, <mount_point>/mls, <mount_point>/deny_unknown.
  The files contain 1/0 (true/false) to indicate whether SELinux is in
  enforcing mode, using MLS or denying unknown access vectors.

That would return more or less the same information as sestatus. In
addition the /etc/selinux/config file also contains the name of the
policy that is supposed to be loaded (it's not possible to know if it's
really the one being loaded I think) and the configured mode (as
opposed to the runtime one).

Cheers,

Laurent Bigonville



More information about the SELinux-devel mailing list