Hi, Laurent Bigonville: > Le 07/10/17 à 17:03, Laurent Bigonville a écrit : >> Here a patch that implements the SELinux part > Please find here the version 2 of my patch.
Thanks! I've reviewed this patch and it looks OK to me. I've tested it on a sid system 1. with AppArmor enabled; 2. with no LSM enabled; and it works as expected. I trust you've tested it on a system with SELinux enabled so I didn't check this. I'm attaching the equivalent for AppArmor. This patch is meant to be applied on top of Laurent's. Cheers, -- intrigeri
>From d40f198f40ec665e6233982d73a81c2fc3acce8c Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Thu, 26 Oct 2017 16:18:19 +0000 Subject: [PATCH] Add AppArmor status in the bug reports (Closes: #773346) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …using aa-enabled(1). aa-enabled is shipped in the apparmor binary package so this check is not 100% correct: technically, the AppArmor LSM can be enabled without the apparmor package being installed, and in this case we won't tell about it in the generated bug report. But for all practical matters, from reportbug's perspective, this corner case is equivalent to AppArmor being disabled: without apparmor_parser installed one can't compile and load policy into the kernel, so the LSM is essentially a no-op. Other, discarded options: - LibAppArmor.aa_is_enabled() would work, but it adds a dependency for little value; it's still an option on the table if the reportbug maintainers prefer not to shell out though. - checking /sys/module/apparmor/parameters/enabled would work, but it's too low-level for my taste. --- reportbug/utils.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/reportbug/utils.py b/reportbug/utils.py index d1c9516..8b0a1ce 100644 --- a/reportbug/utils.py +++ b/reportbug/utils.py @@ -1318,10 +1318,20 @@ def get_lsm_info(): cannot be determined.""" lsminfo = None + + if os.path.exists('/usr/bin/aa-enabled') \ + and (subprocess.run('LC_ALL=C.UTF-8 aa-enabled', + shell=True, + stdout=subprocess.PIPE).returncode == 0): + lsminfo = 'AppArmor: enabled' + if selinux_module: is_selinux_enabled = selinux.is_selinux_enabled() if (is_selinux_enabled == 1): - lsminfo = 'SELinux: enabled - ' + if lsminfo is None: + lsminfo = 'SELinux: enabled - ' + else: + lsminfo += '; SELinux: enabled - ' is_selinux_enforce = selinux.security_getenforce() if (is_selinux_enforce == 0): lsminfo += 'Mode: permissive - ' -- 2.15.0.rc2