Le 08/11/15 23:13, Sandro Tosi a écrit :
On Sun, Nov 8, 2015 at 9:27 PM, Laurent Bigonville <bi...@debian.org> wrote:
On Fri, 2 Jan 2015 22:48:26 +0000 Sandro Tosi <mo...@debian.org> wrote:


Thanks for the reply!
Any progress on this?

mmh, indeed

I'm ok in running sestatus, but it seems this tool is only available
if you are using SELinux and thus u have installed the relative
binaries, is there a way to identify if SELinux is enabled without
using that tool?


But this might be a bit too verbose, and I'm not sure whether the
output is considered stable.
I think that would be an important part to clarify, eventually if
there is a parsable way to output this information; this will reduce
the maintenance cost on reportbug side.

An other tool which seem to have a stable output is /usr/sbin/getenforce, it outputs either Disabled, Permissive or Enforcing. But again this is a tool that is part of SELinux toolset (selinux-utils package).

Like I said in my previous mail:

Or we we could also, if don't want to rely on any external tools do
the following I guess:

- Check /proc/mount to see whether a "selinuxfs" filesystem is mounted
   that would indicate that selinux is at least enabled on the machine.
   (The mountpoint can, by default, either /sys/fs/selinux or /selinux)
- Then a more granular status can be checked by looking in
   <mount_point>/enforce, <mount_point>/mls, <mount_point>/deny_unknown.
   The files contain 1/0 (true/false) to indicate whether SELinux is in
   enforcing mode, using MLS or denying unknown access vectors.

This is basically what getenfoce utility (and libselinux) is doing internally:



Laurent Bigonville

Reportbug-maint mailing list

Reply via email to