[DSE-Dev] Bug#773346: reportbug should provide information about active LSM
Laurent Bigonville
bigon at debian.org
Sat Oct 7 15:03:57 UTC 2017
On Fri, 22 Sep 2017 12:26:42 +0200 Laurent Bigonville <bigon at debian.org>
wrote:
> On Sun, 03 Sep 2017 13:26:57 +0200 intrigeri <intrigeri at debian.org> wrote:
>
> > > As I am un-knowledgeable on this matter, can you list all the LSMs and
> > > the way to identify any of them is running?
> >
> > A trivial way to discover AppArmor was proposed, and a bunch of
> > options for SELinux were mentioned as well; no input from the Tomoyo
> > maintainers AFAICT so let's skip that one ⇒ dropping the moreinfo tag.
> >
> > Next step is to actually implement this proposal in reportbug :)
> >
> > Sandro: at first glance this support could be added to
> > /usr/lib/python3/dist-packages/reportbug/bugreport.py, with actual
> > detection functions in utils.py, just like it's done for the init
> > system. Would this approach suit you?
>
> Regarding the way of detecting SELinux, like I said in my previous
> mails, I see 4 ways:
>
> 1. Use existing SELinux tools like sestatus, sestatus is installed in
> policycoreutils package which has 95% of chances to be installed if
> SELinux is enabled on the machine. If reportbug doesn't need to
> parse the output, this is probably the easiest and the lower
> maintenance level, but it's quite verbose if we include that in all
> bug reports.
> 2. Use existing lower-level SELinux tools like selinuxenabled and
> getenforce, these tools will more than probably be installed in the
> case SELinux is enabled. Not sure if we can get the policy name in
> that way though.
> 3. If you don't want to shell out, you could use the python selinux
> module to retrieve and display the informations (see my little
> example attached) there is however no guarantee that the
> python-selinux module is installed if selinux is enabled though.
> That means that reportbug will have to Depends/Recommends it. IMHO
> this is the most flexible way.
> 4. Directly query the selinuxfs and selinux configuration
> (/sys/fs/selinux/...), this is maybe too low level.
>
> I would probably for 3 if depending on the module is OK and we just a
> one line telling: "LMS: SELinux: enabled - enforcing/permissive - Policy
> name: foo"
Here a patch that implements the SELinux part
I'm not too sure how to do that for apparmor (or the other LSM)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20171007/a3a0c716/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-SELinux-status-in-the-bug-reports.patch
Type: text/x-patch
Size: 3042 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20171007/a3a0c716/attachment.bin>
More information about the SELinux-devel
mailing list