Why do we hate SELinux?
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
-
System shared this topic on
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
Its just complex.
I hate it for my Android device maintainer role much more than my Linux admin role...
On Android, its a fucking mess between vendor stuff and system stuff. But not for selinux itself, but for the mess that vendors often do.
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
-
Its just complex.
I hate it for my Android device maintainer role much more than my Linux admin role...
On Android, its a fucking mess between vendor stuff and system stuff. But not for selinux itself, but for the mess that vendors often do.
Its just complex
When a security mechanism becomes more complex to manage than what it is supposed to protect, it becomes a vulnerability itself.
If you had a minimal system that you built from the ground up yourself and wanted to only have that system function in very specific ways, SELinix would be perfect. I would go so far as to say it would be nearing perfection in some ways.
Sorry, but in the real world, ain't nobody got time for that shit. If you use auto configuration tools or pre-canned configs for SELinux on a system you are unfamiliar with, it's more likely to cause application issues, create security gaps and will likely be shut off by a Jr. admin who really has no fucking clue what he is doing anyway.
It's just easier to keep your system patched and ensure basic network security practices anyway.
It's not impossible to manage these days. In the early days it was, but most everything is automagic now. If I am not mistaken, SELinux can be enabled to log only which would give you data better handled by a HIPS anyway. (Don't quote me on that.)
-
The only thing I know about SELinux is that the NSA made it, and that you need to add :z to docker volumes to fix permissions.
setenforce 0is much cleaner, I have found. -
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I have a saying, "If it's not DNS, then it's Selinux". It blocks stuff so frequently it's a major time sink for us.
It is overly complex and difficult to understand, especially if you're developing and deploying software that does not have correct pre-rolled policies. A regular job for me is to help developers solve this - which generally means running their service, seeing what Selinux blocks on, and then applying a fix. Repeat 2-8 times until every way Selinux is trying to access a file is explicitly allowed. And sometimes, even software that comes via official repos has buggy selinux policies that break things.
Fortunately, there are tools to help you. Install setroubleshooter amd when something doesn't work, "grep seal /var/log/messages" and if it's selinux, you'll find instructions showing you what went wrong and how to create an exception. I absolutely consider this tool essential when using any system with selinux enabled.
-
I have a saying, "If it's not DNS, then it's Selinux". It blocks stuff so frequently it's a major time sink for us.
It is overly complex and difficult to understand, especially if you're developing and deploying software that does not have correct pre-rolled policies. A regular job for me is to help developers solve this - which generally means running their service, seeing what Selinux blocks on, and then applying a fix. Repeat 2-8 times until every way Selinux is trying to access a file is explicitly allowed. And sometimes, even software that comes via official repos has buggy selinux policies that break things.
Fortunately, there are tools to help you. Install setroubleshooter amd when something doesn't work, "grep seal /var/log/messages" and if it's selinux, you'll find instructions showing you what went wrong and how to create an exception. I absolutely consider this tool essential when using any system with selinux enabled.
Thanks for the tip! Never heard of setroubleshooter tbh.
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
For me it's not so much hate as just not really having experience with it, so most of the time if it causes an issue I either just find a command that sets the policy correctly, or more likely disable it.
I should spend some time figuring it out, but it's just one more seemingly esoteric and arcane system that feels at first like it merely exists to get in my way, like systemd, and I'm left wondering do I really need this headache, and what is it really giving me anyway?
-
Its just complex
When a security mechanism becomes more complex to manage than what it is supposed to protect, it becomes a vulnerability itself.
If you had a minimal system that you built from the ground up yourself and wanted to only have that system function in very specific ways, SELinix would be perfect. I would go so far as to say it would be nearing perfection in some ways.
Sorry, but in the real world, ain't nobody got time for that shit. If you use auto configuration tools or pre-canned configs for SELinux on a system you are unfamiliar with, it's more likely to cause application issues, create security gaps and will likely be shut off by a Jr. admin who really has no fucking clue what he is doing anyway.
It's just easier to keep your system patched and ensure basic network security practices anyway.
It's not impossible to manage these days. In the early days it was, but most everything is automagic now. If I am not mistaken, SELinux can be enabled to log only which would give you data better handled by a HIPS anyway. (Don't quote me on that.)
I fully agree with you...
-
I fully agree with you...
Sorry if it sounded like my rant was directed at you as it absolutely wasn't. Your comment triggered me, because I absolutely fully agreed with it.
-
setenforce 0is much cleaner, I have found.A mandatory part at the beginning of every Ansible playbook!
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I don't hate it, I know that it adds a lot of security to a system, it's just that it's not user friendly and it can sometimes leave you scratching your head wondering what the hell happened.
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
Docker container can't read a bind mount. Permission issue? No, it's SELinux, again. And I didn't even install it explicitly, it just got pulled in by another package.
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.
This means not only will fewer people use it and more people turn it off if something doesn't work, it means more people are at risk of misconfiguring their system to allow something they didn't intent to.
This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.
-
setenforce 0is much cleaner, I have found.They my go to to quickly triage a problem being caused by SEL or not.
-
Docker container can't read a bind mount. Permission issue? No, it's SELinux, again. And I didn't even install it explicitly, it just got pulled in by another package.
Isn't that trivially simple to address though? Just add
:zto the end of the mount value string, and restart the container. -
Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.
This means not only will fewer people use it and more people turn it off if something doesn't work, it means more people are at risk of misconfiguring their system to allow something they didn't intent to.
This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.
Yep. Android modding prior to Magisk and Google overcomplicating things was the first step "selinux permissive".
-
Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.
This means not only will fewer people use it and more people turn it off if something doesn't work, it means more people are at risk of misconfiguring their system to allow something they didn't intent to.
This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.
SELinux isn't really meant to be a user space "utility," for lack of a better term. It's meant to be an expert focused security framework for those with the expertise to both understand and implement robust security policies. Your average user daily driving Linux or even running a few self hosted services doesn't really need complex security policies, and is definitely better served by some simpler tools.
-
Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.
This means not only will fewer people use it and more people turn it off if something doesn't work, it means more people are at risk of misconfiguring their system to allow something they didn't intent to.
This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.
I think this is where the confusion happens.
I use SELinux at my job. I admit that I'm not a Linux expert, neither am I an SELinux guru. The only interaction I have with SELinux is:
- Oh, my app keeps dying even after I chown the relevant directories.
- Looks at SELinux AVCs
- Creates new policy and puts in the home directory for the application - example: I just did it for HAProxy this week.
- If I fucked something up and I know the other apps have their policy modules in their place, I just do a restorecon and spend 5 minutes going through the policies whilst reprimanding myself for my stupidity.
I'm being honest that is literally what's it's been like to use SELinux. For context, AppArmour is exactly the same situation but now I need to edit a file (I can be lazy and keep appending rules to it but that will bite me later). If we're going down the path of SELinux being complex for daily usage, then all MAC has the same problem.
I admit that I would find it daunting to do this for a desktop environment. It's there that I want a pre-configured SELinux policy OOTB. On servers though? It's not a big deal for me.
Or maybe I missed something.
