Ping?
Le 08/11/15 à 23:32, Laurent Bigonville a écrit :
Le 08/11/15 23:13, Sandro Tosi a écrit :
On Sun, Nov 8, 2015 at 9:27 PM, Laurent Bigonville <bi...@debian.org>
wrote:
On Fri, 2 Jan 2015 22:48:26 +0000 Sandro Tosi <mo...@debian.org> wrote:
Hi,
Thanks for the reply!
Any progress on this?
well
mmh, indeed
"""
I'm ok in running sestatus, but it seems this tool is only available
if you are using SELinux and thus u have installed the relative
binaries, is there a way to identify if SELinux is enabled without
using that tool?
"""
and
"""
But this might be a bit too verbose, and I'm not sure whether the
output is considered stable.
I think that would be an important part to clarify, eventually if
there is a parsable way to output this information; this will reduce
the maintenance cost on reportbug side.
"""
An other tool which seem to have a stable output is
/usr/sbin/getenforce, it outputs either Disabled, Permissive or
Enforcing. But again this is a tool that is part of SELinux toolset
(selinux-utils package).
Like I said in my previous mail:
Or we we could also, if don't want to rely on any external tools do
the following I guess:
- Check /proc/mount to see whether a "selinuxfs" filesystem is mounted
that would indicate that selinux is at least enabled on the machine.
(The mountpoint can, by default, either /sys/fs/selinux or /selinux)
- Then a more granular status can be checked by looking in
<mount_point>/enforce, <mount_point>/mls, <mount_point>/deny_unknown.
The files contain 1/0 (true/false) to indicate whether SELinux is in
enforcing mode, using MLS or denying unknown access vectors.
This is basically what getenfoce utility (and libselinux) is doing
internally:
https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getenforce.c
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/enabled.c#L12
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/getenforce.c#L12
Cheers,
Laurent Bigonville
