Le 27/10/17 à 14:40, Laurent Bigonville a écrit :
Le 26/10/17 à 19:17, intrigeri a écrit :
intrigeri:
I'm attaching the equivalent for AppArmor.
Here's a cleaned up v2 (my initial patch had leftovers from a previous
version that included the output of aa-enabled; now that I've stopped
doing it I could simplify the code a bit).
Thanks a lot to Christian Boltz for catching this and
suggesting --quiet!
Oh you are using aa-enabled and not a python module instead.
I've done an other version of my patch that uses selinuxenabled and
getenforce tools (which are in a package installed in 99% of the cases
when using selinux).
This is a bit less elegant, but it seems to do the job and it has the
advantage of not requiring python-selinux.
I guess it's up to the maintainer to choose here.
I have rebased intrigeri patch above my the v3 (with the call to the
tools instead of the python module) of mine
>From 4b0e115b90f19099eec605d3f89fd641fc4e9cf0 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bi...@debian.org>
Date: Sat, 7 Oct 2017 16:59:01 +0200
Subject: [PATCH 1/2] Add SELinux status in the bug reports
This is the first step to add LSM information in the bug reports
---
reportbug/bugreport.py | 3 +++
reportbug/utils.py | 20 ++++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/reportbug/bugreport.py b/reportbug/bugreport.py
index ea835fa..e178a1a 100644
--- a/reportbug/bugreport.py
+++ b/reportbug/bugreport.py
@@ -82,6 +82,7 @@ class bugreport(object):
debinfo = ''
shellpath = utils.realpath('/bin/sh')
init = utils.get_init_system()
+ lsminfo = utils.get_lsm_info()
locinfo = []
langsetting = os.environ.get('LANG', 'C')
@@ -177,6 +178,8 @@ class bugreport(object):
debinfo += 'Shell: /bin/sh linked to %s\n' % shellpath
if init:
debinfo += 'Init: %s\n' % init
+ if lsminfo:
+ debinfo += 'LSM: %s\n' % lsminfo
# Don't include system info for certain packages
if self.sysinfo:
diff --git a/reportbug/utils.py b/reportbug/utils.py
index 8139668..fc9bb12 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -1304,3 +1304,23 @@ def get_init_system():
init = 'sysvinit (via /sbin/init)'
return init
+
+def get_lsm_info():
+ """Determines the linux security module enabled on the current machine
+
+ Returns None if there is no LSM enabled on the machine or if the state
+ cannot be determined."""
+
+ lsminfo = None
+ if os.path.exists('/usr/sbin/selinuxenabled') and (subprocess.call(['/usr/sbin/selinuxenabled']) == 0):
+ lsminfo = 'SELinux: enabled - '
+ enforce_status = subprocess.check_output(['/usr/sbin/getenforce']).decode('ascii')
+ lsminfo += 'Mode: %s - ' % enforce_status[:-1]
+ with open('/etc/selinux/config', 'r') as f:
+ lines = f.readlines()
+ for line in lines:
+ if line.startswith('SELINUXTYPE='):
+ lsminfo += 'Policy name: %s' % line.split('=')[1][:-1]
+ break
+
+ return lsminfo
--
2.15.0.rc2
>From 33abbc61d81481f29b73e4cfd2dd0ce9c071cede Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Thu, 26 Oct 2017 16:18:19 +0000
Subject: [PATCH 2/2] Add AppArmor status in the bug reports (Closes: #773346)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
â¦using aa-enabled(1).
aa-enabled is shipped in the apparmor binary package so this check is not 100%
correct: technically, the AppArmor LSM can be enabled without the apparmor
package being installed, and in this case we won't tell about it in the
generated bug report. But for all practical matters, from reportbug's
perspective, this corner case is equivalent to AppArmor being disabled: without
apparmor_parser installed one can't compile and load policy into the kernel, so
the LSM is essentially a no-op.
Other, discarded options:
- LibAppArmor.aa_is_enabled() would work, but it adds a dependency
for little value; it's still an option on the table if the reportbug
maintainers prefer not to shell out though.
- checking /sys/module/apparmor/parameters/enabled would work, but it's too
low-level for my taste.
---
reportbug/utils.py | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/reportbug/utils.py b/reportbug/utils.py
index fc9bb12..42e811d 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -1312,8 +1312,16 @@ def get_lsm_info():
cannot be determined."""
lsminfo = None
+
+ if os.path.exists('/usr/bin/aa-enabled') \
+ and (subprocess.call(['/usr/bin/aa-enabled', '--quiet']) == 0):
+ lsminfo = 'AppArmor: enabled'
+
if os.path.exists('/usr/sbin/selinuxenabled') and (subprocess.call(['/usr/sbin/selinuxenabled']) == 0):
- lsminfo = 'SELinux: enabled - '
+ if lsminfo is None:
+ lsminfo = 'SELinux: enabled - '
+ else:
+ lsminfo += '; SELinux: enabled - '
enforce_status = subprocess.check_output(['/usr/sbin/getenforce']).decode('ascii')
lsminfo += 'Mode: %s - ' % enforce_status[:-1]
with open('/etc/selinux/config', 'r') as f:
--
2.15.0.rc2
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
