This is not a troll post. I’m genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it’s a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat’s guide.

So yeah, why do we hate SELinux?

  • unhrpetby@sh.itjust.worksEnglish
    25·
    17 hours ago

    Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.

    This means not only will fewer people use it and more people turn it off if something doesn’t work, it means more people are at risk of misconfiguring their system to allow something they didn’t intend to.

    This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.

    Here is a good article showing what I am referring to, and providing a solid security tool: BSD pledge/unveil on Linux.

    • marauding_gibberish142@lemmy.dbzer0.comOPEnglish
      3·
      13 hours ago

      I think this is where the confusion happens.

      I use SELinux at my job. I admit that I’m not a Linux expert, neither am I an SELinux guru. The only interaction I have with SELinux is:

      • Oh, my app keeps dying even after I chown the relevant directories.
      • Looks at SELinux AVCs
      • Creates new policy and puts in the home directory for the application - example: I just did it for HAProxy this week.
      • If I fucked something up and I know the other apps have their policy modules in their place, I just do a restorecon and spend 5 minutes going through the policies whilst reprimanding myself for my stupidity.

      I’m being honest that is literally what’s it’s been like to use SELinux. For context, AppArmour is exactly the same situation but now I need to edit a file (I can be lazy and keep appending rules to it but that will bite me later). If we’re going down the path of SELinux being complex for daily usage, then all MAC has the same problem.

      I admit that I would find it daunting to do this for a desktop environment. It’s there that I want a pre-configured SELinux policy OOTB. On servers though? It’s not a big deal for me.

      Or maybe I missed something.

    • socsa@piefed.socialEnglish
      2·
      13 hours ago

      SELinux isn’t really meant to be a user space “utility,” for lack of a better term. It’s meant to be an expert focused security framework for those with the expertise to both understand and implement robust security policies. Your average user daily driving Linux or even running a few self hosted services doesn’t really need complex security policies, and is definitely better served by some simpler tools.

    • MonkderVierte@lemmy.ml
      3·
      15 hours ago

      Yep. Android modding prior to Magisk and Google overcomplicating things was the first step “selinux permissive”.