On Wed, 17 Dec 2014 09:53:15 +0000 u <u...@451f.org> wrote:
> Package: reportbug
> Version: 6.6.1
> Severity: wishlist
>
> Dear Maintainer,
Dear Maintainer,
> when using an LSM like AppArmor, confined applications can sometimes
> seemingly malfunction.
>
> Thus, reportbug should report in "System Information" if such an LSM is
> installed and active in the kernel boot options.
>
> This might help spot bugs which are related to the LSM rather than to
> the package itself more easily.
I've uploaded reportbug with the attached patches to the delayed queue/15.
These patches add information about the LSM status.
Please tell me if my upload should be delayed further.
Kind regards,
Laurent Bigonville
>From 62a6d19cd654e38a59b9f5382cd2304c1b3d6651 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bi...@debian.org>
Date: Sat, 7 Oct 2017 16:59:01 +0200
Subject: [PATCH 1/3] Add SELinux status in the bug reports
This is the first step to add LSM information in the bug reports
---
reportbug/bugreport.py | 3 +++
reportbug/utils.py | 20 ++++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/reportbug/bugreport.py b/reportbug/bugreport.py
index ea835fa..e178a1a 100644
--- a/reportbug/bugreport.py
+++ b/reportbug/bugreport.py
@@ -82,6 +82,7 @@ class bugreport(object):
debinfo = ''
shellpath = utils.realpath('/bin/sh')
init = utils.get_init_system()
+ lsminfo = utils.get_lsm_info()
locinfo = []
langsetting = os.environ.get('LANG', 'C')
@@ -177,6 +178,8 @@ class bugreport(object):
debinfo += 'Shell: /bin/sh linked to %s\n' % shellpath
if init:
debinfo += 'Init: %s\n' % init
+ if lsminfo:
+ debinfo += 'LSM: %s\n' % lsminfo
# Don't include system info for certain packages
if self.sysinfo:
diff --git a/reportbug/utils.py b/reportbug/utils.py
index 8139668..fc9bb12 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -1304,3 +1304,23 @@ def get_init_system():
init = 'sysvinit (via /sbin/init)'
return init
+
+def get_lsm_info():
+ """Determines the linux security module enabled on the current machine
+
+ Returns None if there is no LSM enabled on the machine or if the state
+ cannot be determined."""
+
+ lsminfo = None
+ if os.path.exists('/usr/sbin/selinuxenabled') and (subprocess.call(['/usr/sbin/selinuxenabled']) == 0):
+ lsminfo = 'SELinux: enabled - '
+ enforce_status = subprocess.check_output(['/usr/sbin/getenforce']).decode('ascii')
+ lsminfo += 'Mode: %s - ' % enforce_status[:-1]
+ with open('/etc/selinux/config', 'r') as f:
+ lines = f.readlines()
+ for line in lines:
+ if line.startswith('SELINUXTYPE='):
+ lsminfo += 'Policy name: %s' % line.split('=')[1][:-1]
+ break
+
+ return lsminfo
--
2.15.1
>From db744be8e7425ee454d8305b41b2bd0cca3c3e7d Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Thu, 26 Oct 2017 16:18:19 +0000
Subject: [PATCH 2/3] Add AppArmor status in the bug reports (Closes: #773346)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
â¦using aa-enabled(1).
aa-enabled is shipped in the apparmor binary package so this check is not 100%
correct: technically, the AppArmor LSM can be enabled without the apparmor
package being installed, and in this case we won't tell about it in the
generated bug report. But for all practical matters, from reportbug's
perspective, this corner case is equivalent to AppArmor being disabled: without
apparmor_parser installed one can't compile and load policy into the kernel, so
the LSM is essentially a no-op.
Other, discarded options:
- LibAppArmor.aa_is_enabled() would work, but it adds a dependency
for little value; it's still an option on the table if the reportbug
maintainers prefer not to shell out though.
- checking /sys/module/apparmor/parameters/enabled would work, but it's too
low-level for my taste.
---
reportbug/utils.py | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/reportbug/utils.py b/reportbug/utils.py
index fc9bb12..42e811d 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -1312,8 +1312,16 @@ def get_lsm_info():
cannot be determined."""
lsminfo = None
+
+ if os.path.exists('/usr/bin/aa-enabled') \
+ and (subprocess.call(['/usr/bin/aa-enabled', '--quiet']) == 0):
+ lsminfo = 'AppArmor: enabled'
+
if os.path.exists('/usr/sbin/selinuxenabled') and (subprocess.call(['/usr/sbin/selinuxenabled']) == 0):
- lsminfo = 'SELinux: enabled - '
+ if lsminfo is None:
+ lsminfo = 'SELinux: enabled - '
+ else:
+ lsminfo += '; SELinux: enabled - '
enforce_status = subprocess.check_output(['/usr/sbin/getenforce']).decode('ascii')
lsminfo += 'Mode: %s - ' % enforce_status[:-1]
with open('/etc/selinux/config', 'r') as f:
--
2.15.1
>From 7edc96904c4a0454481d7db0e7a87bb4d8ef95b1 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bi...@bigon.be>
Date: Sat, 16 Dec 2017 15:14:13 +0100
Subject: [PATCH 3/3] Release to unstable
---
debian/changelog | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 68d8e1e..5ad6ab2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,15 @@
-reportbug (7.1.8) UNRELEASED; urgency=medium
+reportbug (7.1.7+nmu1) unstable; urgency=medium
+ * Non-maintainer upload.
+ [ Sandro Tosi ]
* reportbug/debbugs.py
- add `a11y` tag
- -- Sandro Tosi <mo...@debian.org> Tue, 04 Jul 2017 21:00:30 -0400
+ [ Laurent Bigonville ]
+ * reportbug/bugreport.py, reportbug/utils.py
+ - Add LSM information to the bugreports (Closes: #773346)
+
+ -- Laurent Bigonville <bi...@debian.org> Sat, 16 Dec 2017 14:40:50 +0100
reportbug (7.1.7) unstable; urgency=medium
--
2.15.1
