Determining if SELinux is installed

Determining if SELinux is installed

[Scott Cain]

Hello,

Is there a programmatic way to determine if SELinux is installed and
enabled?  I would like to know so that I can let the installer I've
written take appropriate action if it detects that it is there.

Thanks,
Scott

-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Stephen Smalley]

On Tue, 2005-02-15 at 11:18, Scott Cain wrote:
> Hello,
> 
> Is there a programmatic way to determine if SELinux is installed and
> enabled?  I would like to know so that I can let the installer I've
> written take appropriate action if it detects that it is there.

The libselinux function is is_selinux_enabled(3).
There is also a libselinux utility called selinuxenabled(1) that can be
used in a conditional, e.g. if selinuxenabled; then echo Yes; fi.
Finally, you can also manually check for presence of selinuxfs in
/proc/filesystems.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Scott Cain]

On Tue, 2005-02-15 at 11:33 -0500, Stephen Smalley wrote:
> On Tue, 2005-02-15 at 11:18, Scott Cain wrote:
> > Hello,
> > 
> > Is there a programmatic way to determine if SELinux is installed and
> > enabled?  I would like to know so that I can let the installer I've
> > written take appropriate action if it detects that it is there.
> 
> The libselinux function is is_selinux_enabled(3).
> There is also a libselinux utility called selinuxenabled(1) that can be
> used in a conditional, e.g. if selinuxenabled; then echo Yes; fi.
> Finally, you can also manually check for presence of selinuxfs in
> /proc/filesystems.

Thanks.  I guess it will have to be the last option, since the installer
is in perl, so I can't (directly) use is_selinux_enabled, and
since /usr/sbin isn't typically in a user's path, I can't count on that
either.  So `grep selinuxfs /proc/filesystems` it is!

Thanks,
Scott

-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Stephen Smalley]

On Tue, 2005-02-15 at 11:48, Scott Cain wrote:
> Thanks.  I guess it will have to be the last option, since the installer
> is in perl, so I can't (directly) use is_selinux_enabled, and
> since /usr/sbin isn't typically in a user's path, I can't count on that
> either.  So `grep selinuxfs /proc/filesystems` it is!

Hmm...selinuxenabled (and the other trivial utilities from libselinux)
used to live in /usr/bin, but Red Hat moved them to /usr/sbin.  Perhaps
some of them should still be there for this type of usage.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Stephen Smalley]

On Tue, 2005-02-15 at 12:13, Daniel J Walsh wrote:
> Why can't you fully path it?  Just checking if the /proc/filesystem 
> exists is not sufficient, if the user has disabled
> SELinux via /etc/selinux/config instead of selinux=0, I think.  
> selinuxenabled also checks to see if a policy has been
> loaded.

That used to be true (in FC2 days), but is no longer the case - runtime
disable support completely disables SELinux, including unregistering
selinuxfs.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Daniel J Walsh]

Scott Cain wrote:

>On Tue, 2005-02-15 at 11:33 -0500, Stephen Smalley wrote:
>  
>
>>On Tue, 2005-02-15 at 11:18, Scott Cain wrote:
>>    
>>
>>>Hello,
>>>
>>>Is there a programmatic way to determine if SELinux is installed and
>>>enabled?  I would like to know so that I can let the installer I've
>>>written take appropriate action if it detects that it is there.
>>>      
>>>
>>The libselinux function is is_selinux_enabled(3).
>>There is also a libselinux utility called selinuxenabled(1) that can be
>>used in a conditional, e.g. if selinuxenabled; then echo Yes; fi.
>>Finally, you can also manually check for presence of selinuxfs in
>>/proc/filesystems.
>>    
>>
>
>Thanks.  I guess it will have to be the last option, since the installer
>is in perl, so I can't (directly) use is_selinux_enabled, and
>since /usr/sbin isn't typically in a user's path, I can't count on that
>either.  So `grep selinuxfs /proc/filesystems` it is!
>
>Thanks,
>Scott
>
>  
>
Why can't you fully path it?  Just checking if the /proc/filesystem 
exists is not sufficient, if the user has disabled
SELinux via /etc/selinux/config instead of selinux=0, I think.  
selinuxenabled also checks to see if a policy has been
loaded.

I would do the equivalent of

[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled

in perl.


Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Scott Cain]

On Tue, 2005-02-15 at 12:13 -0500, Daniel J Walsh wrote:
> >
> Why can't you fully path it?  Just checking if the /proc/filesystem 
> exists is not sufficient, if the user has disabled
> SELinux via /etc/selinux/config instead of selinux=0, I think.  
> selinuxenabled also checks to see if a policy has been
> loaded.
> 
> I would do the equivalent of
> 
> [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled
> 
> in perl.
> 
> 
> Dan
Hi Dan,

I don't particularly like giving the full path to something for exactly
a reason that Stephen gave: it used to be in /usr/bin, now it's
in /usr/sbin, next, some genius will move it to /usr/libexec (or similar
foolishness).  If I can't count on it being in the users path, I don't
want it.  Otherwise, I'll always have a potential failure point if
selinuxenabled is moved in some other distro.

Also, at the moment, the installer isn't going to do anything tricky.
If it detects that SELinux is installed (or might be), it will die with
a warning message telling the user what to do.  To get past that point,
the user will have to pass in a flag on the command line telling the
installer that all is well.

The "what to do" at this point is: make sure the policies are up to
date, and then disable everything for httpd, or run in permissive mode,
or disable it altogether.

Scott

-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Determining if SELinux is installed

[Daniel J Walsh]

Scott Cain wrote:

>On Tue, 2005-02-15 at 12:13 -0500, Daniel J Walsh wrote:
>  
>
>>Why can't you fully path it?  Just checking if the /proc/filesystem 
>>exists is not sufficient, if the user has disabled
>>SELinux via /etc/selinux/config instead of selinux=0, I think.  
>>selinuxenabled also checks to see if a policy has been
>>loaded.
>>
>>I would do the equivalent of
>>
>>[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled
>>
>>in perl.
>>
>>
>>Dan
>>    
>>
>Hi Dan,
>
>I don't particularly like giving the full path to something for exactly
>a reason that Stephen gave: it used to be in /usr/bin, now it's
>in /usr/sbin, next, some genius will move it to /usr/libexec (or similar
>foolishness).  If I can't count on it being in the users path, I don't
>want it.  Otherwise, I'll always have a potential failure point if
>selinuxenabled is moved in some other distro.
>
>Also, at the moment, the installer isn't going to do anything tricky.
>If it detects that SELinux is installed (or might be), it will die with
>a warning message telling the user what to do.  To get past that point,
>the user will have to pass in a flag on the command line telling the
>installer that all is well.
>
>The "what to do" at this point is: make sure the policies are up to
>date, and then disable everything for httpd, or run in permissive mode,
>or disable it altogether.
>
>Scott
>
>  
>
Another option would be to execute something like
id -Z
I don't have a non SELinux machine right now to know if that exits 
non-zero.  But it reports that SELinux is not enabled.
selinuxenabled was not considered a userspace tool that is why it was 
moved along with a lot of other helper tools.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.