This is not a troll post. I’m genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it’s a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat’s guide.
So yeah, why do we hate SELinux?
You must log in or register to comment.
I think it depends who you ask.
As a linux admin, I don’t mind it and actually really appreciate it. It’s a robust system like you said and though a bit persnickety on resolving things, does its job well.
As a home user, I find that mostly you shouldn’t know it ever exists anyhow. The one time you might would be podman volume issues (when you forget or don’t know to append a z/Z) or when you’re doing something odd. I can see how some would dislike it in that case.
But in any case I fully recommend running it and just learning how to use it. Kind of like IPv6. It’s misunderstood, too often disabled, and should be more widespread. They both are really improvements to what came before. Just technology that takes a little more time to learn is all.
Here is a helpful video explaining it- https://youtu.be/_WOKRaM-HI4
SRE here and I agree with you. I’m basically a glorified Linux admin lol
SELinux is complex
MAC is generally more complex than simple Unix permissions. Whether SELinux is more complex than AppArmour is more up to preference in my opinion
I only had a problem with it once, but having no experience with it really confused me.
I was mounting a directory to a docker container and i kept getting permission errors. The errors were not descriptive at all and really confused me as i already had sudo privileges and wasn’t expecting any problems with permission.
I don’t hate it, but as a PC/phone user it’s security features are almost never helpful and always cause issues so I just have it disabled.
I never have any issues with it in fedora
I don’t hate it. What’s SELinux?
SELinux is an access control system for Linux. Traditionally Linux uses Dynamic Access Control (DAC) which basically means the person who creates a file can determine who can access that file. Thats pretty fine for day to day use but there are some problems with this model in terms of security. One I can think of is that it’s more vulnerable to privilege escalation (a hacker getting access to a higher level account like admin through a lower level account) because it puts the onus on the user to define who can access the file. SELinux was invented by our good friends at the NSA to remedy these kinds of problems. It’s an example of Mandatory Access Control. It works on top of DAC by creating policies that work to prevent things like privilage escalation. It’s also a lot more comprehensive than DAC. It allows for things context based access, taking into account the broader security context of an access attempt, the user’s role, etc.
I’m actually not entirely sure why some people don’t like it. Understandably, some people are wary of anything the NSA let’s out into the public. But as it’s open source and has been integrated into a number of Linux distros like Fedora, it’s unlikely they’ve backdoored it. If I was to hazard a guess, I’d say some people don’t like it for the same reason they don’t like systemd: Linux has often been an OS where user’s like a big degree of control through simple traditional systems and those don’t like the idea of losing some of that control to the complexity overhead involved in these new systems.
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
Internet users like you are the worst.
Yep, we’re right up there with lazy people who literally ask strangers to Google things for them and then sit back and wait for the response to be delivered to them personally. The worst.
If they brought up SELinux I’d assume they had no need to Google it.
I would agree until they asked what it is
This is an online DISCUSSION
Stfu
Exactly. You tell em! This is a discussion! It’s not a place to ask for definitions.
U mad tho
No U mad
Was trying to start a discussion, my bad.
Some people like to talk to each other. Like people who are people?
Thanks!
That’s true. “define chair” is a great conversation starter.
I definitely do not hate SELinux, I think it’s a great system. But my experience mostly (at home, anyway) comes from managing servers running Kubernetes clusters and, like, just using podman do deploy containers. In both these cases SELinux is a on “just works” basis, for the most part.
Then in enterprise environment that doesn’t run everything on containers, you usually have a very standardized way of applying SELinux policies. At my last place of work we did it via a rather Ansible role. It was simple and easy.
But I can imagine using SELinux at home, where you maybe don’t have these things, might be a rather “mysterious” experience. It’s not the most obvious system.
But learning to write your own policies (even if just trough se2allow or whatever it’s called) does de-mystify SELinix pretty quick.
Nothing wrong with it
It was built years ago by the NSA but I’m sure that by now any backdoors nwould have been found
Having said that: it could use some rework to become more intuitive, especially with the error messages and how to resolve them
It’s more work to get things to work. You have to be more explicit as a dev.
Personally I really like it, and wish there was more support for MLS features it has in Userland
openSUSE tumbleweed changed to using it and I think it works well.
I don’t hate it, I know that it adds a lot of security to a system, it’s just that it’s not user friendly and it can sometimes leave you scratching your head wondering what the hell happened.
To be honest I had the exact same situation with AppArmor, and since then I have grown to like MAC. I know they’re doing it to keep me safe so I don’t complain. Honestly if people find MAC to be a hassle they should also in theory find file permissions and ACLs a hassle
Oh the people who dislike MAC probably do dislike file permissions too, ha.
chmod -R 777 somedirand such.
Docker container can’t read a bind mount. Permission issue? No, it’s SELinux, again. And I didn’t even install it explicitly, it just got pulled in by another package.
And to be clear, the issue isn’t SELinux really, but unexpected behaviour which I never asked for (never explicitly installed it).
Isn’t that trivially simple to address though? Just add
:zto the end of the mount value string, and restart the container.
Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.
This means not only will fewer people use it and more people turn it off if something doesn’t work, it means more people are at risk of misconfiguring their system to allow something they didn’t intend to.
This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.
Here is a good article showing what I am referring to, and providing a solid security tool: BSD pledge/unveil on Linux.
SELinux isn’t really meant to be a user space “utility,” for lack of a better term. It’s meant to be an expert focused security framework for those with the expertise to both understand and implement robust security policies. Your average user daily driving Linux or even running a few self hosted services doesn’t really need complex security policies, and is definitely better served by some simpler tools.
Yep. Android modding prior to Magisk and Google overcomplicating things was the first step “selinux permissive”.
I think this is where the confusion happens.
I use SELinux at my job. I admit that I’m not a Linux expert, neither am I an SELinux guru. The only interaction I have with SELinux is:
- Oh, my app keeps dying even after I chown the relevant directories.
- Looks at SELinux AVCs
- Creates new policy and puts in the home directory for the application - example: I just did it for HAProxy this week.
- If I fucked something up and I know the other apps have their policy modules in their place, I just do a restorecon and spend 5 minutes going through the policies whilst reprimanding myself for my stupidity.
I’m being honest that is literally what’s it’s been like to use SELinux. For context, AppArmour is exactly the same situation but now I need to edit a file (I can be lazy and keep appending rules to it but that will bite me later). If we’re going down the path of SELinux being complex for daily usage, then all MAC has the same problem.
I admit that I would find it daunting to do this for a desktop environment. It’s there that I want a pre-configured SELinux policy OOTB. On servers though? It’s not a big deal for me.
Or maybe I missed something.
Generally, we don’t. I can count on one hand the number of times I’ve had to mess with it. Two times I had to use restorecon, and two times I had to loosen permissions for an HTTP server. Literally everything else has worked without issue.
I know some people love to bitch and moan about it, but honestly I have to ask what they’re doing, because I’ve had zero non-trivial problems.
If you’ve used something like AppArmor, you’ll see how SELinux is overly complex.
I have and I’ve been left scratching my head both times. AppArmour just deals with files whilst SELinux has contexts - that’s the only operational difference I’ve needed to notice. I create custom policies and am on my way.
For me it’s not so much hate as just not really having experience with it, so most of the time if it causes an issue I either just find a command that sets the policy correctly, or more likely disable it.
I should spend some time figuring it out, but it’s just one more seemingly esoteric and arcane system that feels at first like it merely exists to get in my way, like systemd, and I’m left wondering do I really need this headache, and what is it really giving me anyway?
Do you feel that way about all MAC or just SELinux? AppArmour is similarly arcane when you’re in the zone configuring your application. TBH RedHat has troubleshooting instructions in their docs, I just Copts paste and edit as necessary and it doesn’t take that long. I guess I just spent more time at it
The only real permissions systems I’m familiar with are the basic octal permissions in *NIX and NTFS permissions. I know those aren’t really quite the same but they’re the closest I have actual experience with to be able to have an opinion about.
At one point I also knew a little iptables but that was over fifteen years ago now.
As said, I really should spend some time with them, I just need the motivation.
ACLs are pretty good and have come in handy for me multiple times
