Can't read from /proc/self/attr/current, but permissions are 0666

dbush asked:

I’m working with an externally created script that reads from /proc/self/attr/current to get SELinux configuration info. It seems that, even though permissions on the file are 0666, on some systems this file can be read with no problem while on others generate an “invalid argument” error. Specifically, there is 1 server out of 3 in a Kubernetes cluster where this file cannot be read, while on the other 2 it contains the string “unconfined”.

I came across this thread which reported the same issue without resolution.

What could be preventing this file from being read?

OS is Debian 8.

My answer:

/proc/[pid]/attr/current provides the current security attributes for the process. This isn’t necessarily SELinux; it is also used by AppArmor.

In the case of Debian systems, it almost certainly is AppArmor, as SELinux is rarely or never used on Debian.

In particular, the bare string unconfined also indicates it’s AppArmor; SELinux would have a much longer “unconfined” string, such as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.

When this path can’t be read, neither SELinux nor AppArmor is enabled.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.