This is not a troll post. I’m genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it’s a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat’s guide.
So yeah, why do we hate SELinux?
You must log in or register to comment.
For many years I installed Fedora from scratch (almost as if my PC was a Linux container and then added a kernel setup) to be exactly as I wanted it no cruft, no bloat. I did that with other distros as well, Debian didn’t recommend SELinux.
Last year I installed it from scratch using the installer and that included SELinux. With changes in SELinux policy, I found an installed flatpak which successive iterations didn’t like SELinux or tried to operate outside it. Fixing it was easy but I didn’t do so until I understood why it was violating.
I had unknowingly subscribed to the FUD about SELinux, I doesn’t get in my way. Maybe I’m not as elite as I thought I was!
I don’t hate it, but as a PC/phone user it’s security features are almost never helpful and always cause issues so I just have it disabled.
Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.
This means not only will fewer people use it and more people turn it off if something doesn’t work, it means more people are at risk of misconfiguring their system to allow something they didn’t intend to.
This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.
Here is a good article showing what I am referring to, and providing a solid security tool: BSD pledge/unveil on Linux.
SELinux isn’t really meant to be a user space “utility,” for lack of a better term. It’s meant to be an expert focused security framework for those with the expertise to both understand and implement robust security policies. Your average user daily driving Linux or even running a few self hosted services doesn’t really need complex security policies, and is definitely better served by some simpler tools.
SELinux is complex
MAC is generally more complex than simple Unix permissions. Whether SELinux is more complex than AppArmour is more up to preference in my opinion
I think it depends who you ask.
As a linux admin, I don’t mind it and actually really appreciate it. It’s a robust system like you said and though a bit persnickety on resolving things, does its job well.
As a home user, I find that mostly you shouldn’t know it ever exists anyhow. The one time you might would be podman volume issues (when you forget or don’t know to append a z/Z) or when you’re doing something odd. I can see how some would dislike it in that case.
But in any case I fully recommend running it and just learning how to use it. Kind of like IPv6. It’s misunderstood, too often disabled, and should be more widespread. They both are really improvements to what came before. Just technology that takes a little more time to learn is all.
Here is a helpful video explaining it- https://youtu.be/_WOKRaM-HI4
Nothing wrong with it
It was built years ago by the NSA but I’m sure that by now any backdoors nwould have been found
Having said that: it could use some rework to become more intuitive, especially with the error messages and how to resolve them
If you’ve used something like AppArmor, you’ll see how SELinux is overly complex.
I’d love to develop a muscle memory for working with it, but nowhere I’ve worked uses it at all. But from memory it really wasn’t that complicated, and the errors it spat out into system logs basically told you exactly what command to run to get past that particular violation.
I don’t hate it at all. Just, never seen it used anywhere.
I don’t hate it. What’s SELinux?
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
deleted by creator
Yep, we’re right up there with lazy people who literally ask strangers to Google things for them and then sit back and wait for the response to be delivered to them personally. The worst.
If they brought up SELinux I’d assume they had no need to Google it.
I would agree until they asked what it is
This is an online DISCUSSION
Stfu
Exactly. You tell em! This is a discussion! It’s not a place to ask for definitions.
Was trying to start a discussion, my bad.
Some people like to talk to each other. Like people who are people?
That’s true. “define chair” is a great conversation starter.
Thanks!
I have a saying, “If it’s not DNS, then it’s Selinux”. It blocks stuff so frequently it’s a major time sink for us.
It is overly complex and difficult to understand, especially if you’re developing and deploying software that does not have correct pre-rolled policies. A regular job for me is to help developers solve this - which generally means running their service, seeing what Selinux blocks on, and then applying a fix. Repeat 2-8 times until every way Selinux is trying to access a file is explicitly allowed. And sometimes, even software that comes via official repos has buggy selinux policies that break things.
Fortunately, there are tools to help you. Install setroubleshooter amd when something doesn’t work, “grep seal /var/log/messages” and if it’s selinux causing the problem, you’ll find instructions showing you what went wrong and how to create an exception. I absolutely consider this tool essential when using any system with selinux enabled.
Exactly. I use setroubleshoot myself and it’s awesome.
I agree that creating custom policies for a bunch of apps day in day out will be tiring. But that is an argument against all MAC. I personally don’t want to see Linux going the way of abandoning MAC
How do you know when you’re letting through a valid access, an unnecessary one that could be a vulnerability, and an actively malicious one?
I don’t think anyone is saying throw out all access control, they’re just saying SELinux adds too much unproductive friction for everyday usage. You said it takes 15m to troubleshoot. But that’s not a one time thing, that’s 15m that scales with the amount of new programs and updates you’re running. And 90% of people aren’t even going to be able to tell they’re looking at a malicious access if they’re in the habit of always working around blocks that show up.
I don’t hate it, I know that it adds a lot of security to a system, it’s just that it’s not user friendly and it can sometimes leave you scratching your head wondering what the hell happened.
To be honest I had the exact same situation with AppArmor, and since then I have grown to like MAC. I know they’re doing it to keep me safe so I don’t complain. Honestly if people find MAC to be a hassle they should also in theory find file permissions and ACLs a hassle
Oh the people who dislike MAC probably do dislike file permissions too, ha.
chmod -R 777 somedirand such.
