1

I'm working with an externally created script that reads from /proc/self/attr/current to get SELinux configuration info. It seems that, even though permissions on the file are 0666, on some systems this file can be read with no problem while on others generate an "invalid argument" error. Specifically, there is 1 server out of 3 in a Kubernetes cluster where this file cannot be read, while on the other 2 it contains the string "unconfined".

I came across this thread which reported the same issue without resolution.

What could be preventing this file from being read?

OS is Debian 8.

dbush
  • 153
  • 8

1 Answers1

2

/proc/[pid]/attr/current provides the current security attributes for the process. This isn't necessarily SELinux; it is also used by AppArmor.

In the case of Debian systems, it almost certainly is AppArmor, as SELinux is rarely or never used on Debian.

In particular, the bare string unconfined also indicates it's AppArmor; SELinux would have a much longer "unconfined" string, such as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.

When this path can't be read, neither SELinux nor AppArmor is enabled.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Looks like that was it. I was looking for SELinux configs and didn't consider AppArmor. It turns out AppArmor wasn't installed on the one server but was on the other two. – dbush Feb 09 '18 at 13:25