Why do we hate SELinux?
-
Do you feel that way about all MAC or just SELinux? AppArmour is similarly arcane when you're in the zone configuring your application. TBH RedHat has troubleshooting instructions in their docs, I just Copts paste and edit as necessary and it doesn't take that long. I guess I just spent more time at it
The only real permissions systems I'm familiar with are the basic octal permissions in *NIX and NTFS permissions. I know those aren't really quite the same but they're the closest I have actual experience with to be able to have an opinion about.
At one point I also knew a little iptables but that was over fifteen years ago now.
As said, I really should spend some time with them, I just need the motivation.
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
SELinux is complex
-
The only real permissions systems I'm familiar with are the basic octal permissions in *NIX and NTFS permissions. I know those aren't really quite the same but they're the closest I have actual experience with to be able to have an opinion about.
At one point I also knew a little iptables but that was over fifteen years ago now.
As said, I really should spend some time with them, I just need the motivation.
ACLs are pretty good and have come in handy for me multiple times
-
Is it not possible to run it in audit mode in dev and have it tell you what the would have blocked?
Permissive mode, and yes, you absolutely can. That shows warnings but doesn't actively block. But you still benefit from running setroubleshoot to actually figure out what and why it's blocked something, and how to mitigate that.
Permissive is also good in that you can get a bunch of blocks reported at once, instead of having to step through one at a time, which can be useful.
-
How do you know when you're letting through a valid access, an unnecessary one that could be a vulnerability, and an actively malicious one?
I don't think anyone is saying throw out all access control, they're just saying SELinux adds too much unproductive friction for everyday usage. You said it takes 15m to troubleshoot. But that's not a one time thing, that's 15m that scales with the amount of new programs and updates you're running. And 90% of people aren't even going to be able to tell they're looking at a malicious access if they're in the habit of always working around blocks that show up.
I think you make a good point, but it's one that affects any anti-malicious protection. How do you know that the anti-virus warning you get on Windows is legitimate and not a false alert? Or that the Apparmor block wasn't a misfire? Selinux is no better nor worse in principle than those.
In all cases, you need to stop and figure out what's actually going on. That's one benefit of all these things - they make you pause and, hopefully, think, when something is outside the norm.
And yep, they can be bypassed and they need to be able to be bypassed. If someone is lazy or not knowledgeable enough to make the right decision, or even just in a hurry, then they are at risk. No automated system can protect entirely against that.
-
SELinux is complex
MAC is generally more complex than simple Unix permissions. Whether SELinux is more complex than AppArmour is more up to preference in my opinion
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I definitely do not hate SELinux, I think it's a great system. But my experience mostly (at home, anyway) comes from managing servers running Kubernetes clusters and, like, just using podman do deploy containers. In both these cases SELinux is a on "just works" basis, for the most part.
Then in enterprise environment that doesn't run everything on containers, you usually have a very standardized way of applying SELinux policies. At my last place of work we did it via a rather Ansible role. It was simple and easy.
But I can imagine using SELinux at home, where you maybe don't have these things, might be a rather "mysterious" experience. It's not the most obvious system.
But learning to write your own policies (even if just trough se2allow or whatever it's called) does de-mystify SELinix pretty quick.
-
I think you make a good point, but it's one that affects any anti-malicious protection. How do you know that the anti-virus warning you get on Windows is legitimate and not a false alert? Or that the Apparmor block wasn't a misfire? Selinux is no better nor worse in principle than those.
In all cases, you need to stop and figure out what's actually going on. That's one benefit of all these things - they make you pause and, hopefully, think, when something is outside the norm.
And yep, they can be bypassed and they need to be able to be bypassed. If someone is lazy or not knowledgeable enough to make the right decision, or even just in a hurry, then they are at risk. No automated system can protect entirely against that.
I would go a step further and say that any time one of these MAC systems has to resort to user interaction to do its job, it's a straight up failure case: the system simply didn't have enough information to do its job, ended up doing no better than a blanket "block everything" config, and is asking the user to do 100% of the heavy lifting of determining what should happen.
So, when I hear
If someone is lazy or not knowledgeable enough to make the right decision...No automated system can protect [them].
I hear: "every access control system is fundamentally broken". Which is fine, maybe that's true, there's a reason social engineering is so useful. So then all these systems should prioritize streamlining that failure case as much as possible: Tell the user what is accessing what, when, how, and then make it trivial to temporarily (with well defined limits), permanently, (or even volatile-y using CoW/containerization/overlay fs) grant or deny access as quickly and easily as possible.
Every other system you're comparing SELinux, AFAIK, handles this case better, which is why users tend to prefer them.
For the record, I'm not arguing that SELinux is bad at the actual access control part, I'm only answering why people don't like using it, which is how it handles the failure case part. Now it's been a while since I've used SELinux and I've never used setroubleshooter, but if you tell me it actually streamlines all of this to be smoother than every other tool, then I'll install it tonight!
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I'd love to develop a muscle memory for working with it, but nowhere I've worked uses it at all. But from memory it really wasn't that complicated, and the errors it spat out into system logs basically told you exactly what command to run to get past that particular violation.
I don't hate it at all. Just, never seen it used anywhere.
-
Permissive mode, and yes, you absolutely can. That shows warnings but doesn't actively block. But you still benefit from running setroubleshoot to actually figure out what and why it's blocked something, and how to mitigate that.
Permissive is also good in that you can get a bunch of blocks reported at once, instead of having to step through one at a time, which can be useful.
That's what I was thinking, I know the pain of watching something run for ages, only to finally get past where it failed last time and run straight in to another stumbling block.
I don't envy you having to work in an SELinux environment with less than stellar developer understanding of policies and contexts.
-
ACLs are pretty good and have come in handy for me multiple times
ACLs are literally what makes up NTFS permissions, too, they just aren't as clear about it
-
I'd love to develop a muscle memory for working with it, but nowhere I've worked uses it at all. But from memory it really wasn't that complicated, and the errors it spat out into system logs basically told you exactly what command to run to get past that particular violation.
I don't hate it at all. Just, never seen it used anywhere.
I run SELinux on tons of servers at work. We taught our Oracle consultants how to use it. Some software vendors get mad at us because we require it and we always figure out how to make it work and it isn't all that bad to work with once you're used to it
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I don't hate it. What's SELinux?
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I only had a problem with it once, but having no experience with it really confused me.
I was mounting a directory to a docker container and i kept getting permission errors. The errors were not descriptive at all and really confused me as i already had sudo privileges and wasn't expecting any problems with permission.
-
I don't hate it. What's SELinux?
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I don't hate it, but as a PC/phone user it's security features are almost never helpful and always cause issues so I just have it disabled.
-
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
Nothing wrong with it
It was built years ago by the NSA but I'm sure that by now any backdoors nwould have been found
Having said that: it could use some rework to become more intuitive, especially with the error messages and how to resolve them
-
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
Some people like to talk to each other. Like people who are people?
