On Wed, 17 Dec 2014 09:53:15 +0000 u <u...@451f.org> wrote: > Dear Maintainer,
Hello, > when using an LSM like AppArmor, confined applications can sometimes > seemingly malfunction. > > Thus, reportbug should report in "System Information" if such an LSM > is installed and active in the kernel boot options. > > This might help spot bugs which are related to the LSM rather than to > the package itself more easily. I agree with that, that might be a valuable information. The SELinux status should probably also be added in the reports. SELinux can be disabled, in permissive mode and in enforcing mode. It might also be interesting to report the name of the policy that is currently loaded. There are probably several ways to detect the state of SELinux. Calling /usr/sbin/sestatus should display several interesting information: ====== SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: refpolicy Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29 ====== But this might be a bit too verbose, and I'm not sure whether the output is considered stable. We could call /usr/sbin/selinuxenabled, but this tool doesn't indicate if we are running in the permissive mode or not. This information is important to know to see whether SELinux can be blocking something. Or we we could also, if don't want to rely on any external tools do the following I guess: - Check /proc/mount to see whether a "selinuxfs" filesystem is mounted that would indicate that selinux is at least enabled on the machine. (The mountpoint can, by default, either /sys/fs/selinux or /selinux) - Then a more granular status can be checked by looking in <mount_point>/enforce, <mount_point>/mls, <mount_point>/deny_unknown. The files contain 1/0 (true/false) to indicate whether SELinux is in enforcing mode, using MLS or denying unknown access vectors. That would return more or less the same information as sestatus. In addition the /etc/selinux/config file also contains the name of the policy that is supposed to be loaded (it's not possible to know if it's really the one being loaded I think) and the configured mode (as opposed to the runtime one). Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
