[Reportbug-maint] Bug#773346: reportbug should provide information about active LSM

Laurent Bigonville bigon at debian.org
Fri Sep 22 10:26:42 UTC 2017

On Sun, 03 Sep 2017 13:26:57 +0200 intrigeri <intrigeri at debian.org> wrote:

 > > As I am un-knowledgeable on this matter, can you list all the LSMs and
 > > the way to identify any of them is running?
 > A trivial way to discover AppArmor was proposed, and a bunch of
 > options for SELinux were mentioned as well; no input from the Tomoyo
 > maintainers AFAICT so let's skip that one ⇒ dropping the moreinfo tag.
 > Next step is to actually implement this proposal in reportbug :)
 > Sandro: at first glance this support could be added to
 > /usr/lib/python3/dist-packages/reportbug/bugreport.py, with actual
 > detection functions in utils.py, just like it's done for the init
 > system. Would this approach suit you?

Regarding the way of detecting SELinux, like I said in my previous 
mails, I see 4 ways:

 1. Use existing SELinux tools like sestatus, sestatus is installed in
    policycoreutils package which has 95% of chances to be installed if
    SELinux is enabled on the machine. If reportbug doesn't need to
    parse the output, this is probably the easiest and the lower
    maintenance level, but it's quite verbose if we include that in all
    bug reports.
 2. Use existing lower-level SELinux tools like selinuxenabled and
    getenforce, these tools will more than probably be installed in the
    case SELinux is enabled. Not sure if we can get the policy name in
    that way though.
 3. If you don't want to shell out, you could use the python selinux
    module to retrieve and display the informations (see my little
    example attached) there is however no guarantee that the
    python-selinux module is installed if selinux is enabled though.
    That means that reportbug will have to Depends/Recommends it. IMHO
    this is the most flexible way.
 4. Directly query the selinuxfs and selinux configuration
    (/sys/fs/selinux/...), this is maybe too low level.

I would probably for 3 if depending on the module is OK and we just a 
one line telling: "LMS: SELinux: enabled - enforcing/permissive - Policy 
name: foo"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/reportbug-maint/attachments/20170922/c2c326f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux_test.py
Type: text/x-python
Size: 660 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reportbug-maint/attachments/20170922/c2c326f7/attachment.py>

More information about the Reportbug-maint mailing list