Linux

53368 readers

840 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Why do we hate SELinux? (lemmy.dbzer0.com)

submitted 4 weeks ago by marauding_gibberish142@lemmy.dbzer0.com to c/linux@lemmy.ml

6 comments fedilink hide all child comments

This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.

So yeah, why do we hate SELinux?

top 6 comments

sorted by: hot top controversial new old

[–] digdilem@lemmy.ml 2 points 4 weeks ago* (last edited 4 weeks ago)

I have a saying, "If it's not DNS, then it's Selinux". It blocks stuff so frequently it's a major time sink for us.

It is overly complex and difficult to understand, especially if you're developing and deploying software that does not have correct pre-rolled policies. A regular job for me is to help developers solve this - which generally means running their service, seeing what Selinux blocks on, and then applying a fix. Repeat 2-8 times until every way Selinux is trying to access a file is explicitly allowed. And sometimes, even software that comes via official repos has buggy selinux policies that break things.

Fortunately, there are tools to help you. Install setroubleshooter amd when something doesn't work, "grep seal /var/log/messages" and if it's selinux causing the problem, you'll find instructions showing you what went wrong and how to create an exception. I absolutely consider this tool essential when using any system with selinux enabled.

[–] unhrpetby@sh.itjust.works 1 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.

This means not only will fewer people use it and more people turn it off if something doesn't work, it means more people are at risk of misconfiguring their system to allow something they didn't intend to.

This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.

Here is a good article showing what I am referring to, and providing a solid security tool: BSD pledge/unveil on Linux.

[–] socsa@piefed.social 0 points 3 weeks ago

SELinux isn't really meant to be a user space "utility," for lack of a better term. It's meant to be an expert focused security framework for those with the expertise to both understand and implement robust security policies. Your average user daily driving Linux or even running a few self hosted services doesn't really need complex security policies, and is definitely better served by some simpler tools.

[–] phoenixz@lemmy.ca 1 points 3 weeks ago

Nothing wrong with it

It was built years ago by the NSA but I'm sure that by now any backdoors nwould have been found

Having said that: it could use some rework to become more intuitive, especially with the error messages and how to resolve them

[–] Quazatron@lemmy.world 1 points 4 weeks ago

I don't hate it, I know that it adds a lot of security to a system, it's just that it's not user friendly and it can sometimes leave you scratching your head wondering what the hell happened.

[–] lelgenio@lemmy.ml 1 points 4 weeks ago

The only thing I know about SELinux is that the NSA made it, and that you need to add :z to docker volumes to fix permissions.