[DSE-Dev] Bug#773346: reportbug should provide information about active LSM

Laurent Bigonville bigon at debian.org
Sat Oct 7 15:03:57 UTC 2017


On Fri, 22 Sep 2017 12:26:42 +0200 Laurent Bigonville <bigon at debian.org> 
wrote:
> On Sun, 03 Sep 2017 13:26:57 +0200 intrigeri <intrigeri at debian.org> wrote:
>
> > > As I am un-knowledgeable on this matter, can you list all the LSMs and
> > > the way to identify any of them is running?
> >
> > A trivial way to discover AppArmor was proposed, and a bunch of
> > options for SELinux were mentioned as well; no input from the Tomoyo
> > maintainers AFAICT so let's skip that one ⇒ dropping the moreinfo tag.
> >
> > Next step is to actually implement this proposal in reportbug :)
> >
> > Sandro: at first glance this support could be added to
> > /usr/lib/python3/dist-packages/reportbug/bugreport.py, with actual
> > detection functions in utils.py, just like it's done for the init
> > system. Would this approach suit you?
>
> Regarding the way of detecting SELinux, like I said in my previous
> mails, I see 4 ways:
>
> 1. Use existing SELinux tools like sestatus, sestatus is installed in
>     policycoreutils package which has 95% of chances to be installed if
>     SELinux is enabled on the machine. If reportbug doesn't need to
>     parse the output, this is probably the easiest and the lower
>     maintenance level, but it's quite verbose if we include that in all
>     bug reports.
> 2. Use existing lower-level SELinux tools like selinuxenabled and
>     getenforce, these tools will more than probably be installed in the
>     case SELinux is enabled. Not sure if we can get the policy name in
>     that way though.
> 3. If you don't want to shell out, you could use the python selinux
>     module to retrieve and display the informations (see my little
>     example attached) there is however no guarantee that the
>     python-selinux module is installed if selinux is enabled though.
>     That means that reportbug will have to Depends/Recommends it. IMHO
>     this is the most flexible way.
> 4. Directly query the selinuxfs and selinux configuration
>     (/sys/fs/selinux/...), this is maybe too low level.
>
> I would probably for 3 if depending on the module is OK and we just a
> one line telling: "LMS: SELinux: enabled - enforcing/permissive - Policy
> name: foo"
Here a patch that implements the SELinux part

I'm not too sure how to do that for apparmor (or the other LSM)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20171007/a3a0c716/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-SELinux-status-in-the-bug-reports.patch
Type: text/x-patch
Size: 3042 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20171007/a3a0c716/attachment.bin>


More information about the SELinux-devel mailing list