Why do we hate SELinux?
-
I think you make a good point, but it's one that affects any anti-malicious protection. How do you know that the anti-virus warning you get on Windows is legitimate and not a false alert? Or that the Apparmor block wasn't a misfire? Selinux is no better nor worse in principle than those.
In all cases, you need to stop and figure out what's actually going on. That's one benefit of all these things - they make you pause and, hopefully, think, when something is outside the norm.
And yep, they can be bypassed and they need to be able to be bypassed. If someone is lazy or not knowledgeable enough to make the right decision, or even just in a hurry, then they are at risk. No automated system can protect entirely against that.
I would go a step further and say that any time one of these MAC systems has to resort to user interaction to do its job, it's a straight up failure case: the system simply didn't have enough information to do its job, ended up doing no better than a blanket "block everything" config, and is asking the user to do 100% of the heavy lifting of determining what should happen.
So, when I hear
If someone is lazy or not knowledgeable enough to make the right decision...No automated system can protect [them].
I hear: "every access control system is fundamentally broken". Which is fine, maybe that's true, there's a reason social engineering is so useful. So then all these systems should prioritize streamlining that failure case as much as possible: Tell the user what is accessing what, when, how, and then make it trivial to temporarily (with well defined limits), permanently, (or even volatile-y using CoW/containerization/overlay fs) grant or deny access as quickly and easily as possible.
Every other system you're comparing SELinux, AFAIK, handles this case better, which is why users tend to prefer them.
For the record, I'm not arguing that SELinux is bad at the actual access control part, I'm only answering why people don't like using it, which is how it handles the failure case part. Now it's been a while since I've used SELinux and I've never used setroubleshooter, but if you tell me it actually streamlines all of this to be smoother than every other tool, then I'll install it tonight!
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I'd love to develop a muscle memory for working with it, but nowhere I've worked uses it at all. But from memory it really wasn't that complicated, and the errors it spat out into system logs basically told you exactly what command to run to get past that particular violation.
I don't hate it at all. Just, never seen it used anywhere.
-
Permissive mode, and yes, you absolutely can. That shows warnings but doesn't actively block. But you still benefit from running setroubleshoot to actually figure out what and why it's blocked something, and how to mitigate that.
Permissive is also good in that you can get a bunch of blocks reported at once, instead of having to step through one at a time, which can be useful.
That's what I was thinking, I know the pain of watching something run for ages, only to finally get past where it failed last time and run straight in to another stumbling block.
I don't envy you having to work in an SELinux environment with less than stellar developer understanding of policies and contexts.
-
ACLs are pretty good and have come in handy for me multiple times
ACLs are literally what makes up NTFS permissions, too, they just aren't as clear about it
-
I'd love to develop a muscle memory for working with it, but nowhere I've worked uses it at all. But from memory it really wasn't that complicated, and the errors it spat out into system logs basically told you exactly what command to run to get past that particular violation.
I don't hate it at all. Just, never seen it used anywhere.
I run SELinux on tons of servers at work. We taught our Oracle consultants how to use it. Some software vendors get mad at us because we require it and we always figure out how to make it work and it isn't all that bad to work with once you're used to it
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I don't hate it. What's SELinux?
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I only had a problem with it once, but having no experience with it really confused me.
I was mounting a directory to a docker container and i kept getting permission errors. The errors were not descriptive at all and really confused me as i already had sudo privileges and wasn't expecting any problems with permission.
-
I don't hate it. What's SELinux?
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
I don't hate it, but as a PC/phone user it's security features are almost never helpful and always cause issues so I just have it disabled.
-
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
Nothing wrong with it
It was built years ago by the NSA but I'm sure that by now any backdoors nwould have been found
Having said that: it could use some rework to become more intuitive, especially with the error messages and how to resolve them
-
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
Some people like to talk to each other. Like people who are people?
-
Some people like to talk to each other. Like people who are people?
-
Yep, we're right up there with lazy people who literally ask strangers to Google things for them and then sit back and wait for the response to be delivered to them personally. The worst.
This is an online DISCUSSION
Stfu
-
In the time it took you to type that comment here, you could have typed it in Google and gotten an immediate response
Was trying to start a discussion, my bad.
-
Yep, we're right up there with lazy people who literally ask strangers to Google things for them and then sit back and wait for the response to be delivered to them personally. The worst.
If they brought up SELinux I'd assume they had no need to Google it.
-
This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.
So yeah, why do we hate SELinux?
It's more work to get things to work. You have to be more explicit as a dev.
Personally I really like it, and wish there was more support for MLS features it has in Userland
-
If they brought up SELinux I'd assume they had no need to Google it.
-
This is an online DISCUSSION
Stfu
