SELinux is beyond saving

When CentOS 7 came out, I decided to make peace with all of the new stuff (systemd) and all of the old stuff I had been disabling (SELinux.)<p>Turns out that doing crazy shit like letting users have their html files in ~&#x2F;public_html&#x2F; requires a lot of SELinux configuration. procmail touching user directories? Yep. spamassassin? Why, yes. Maybe there&#x27;s something I did wrong... I did read the docs.<p>Also turns out that there isn&#x27;t a tool which tells you what new rules are needed, relative to the existing configuration, for recent SELinux denies. Yeah, there are some tools to spit out a complete config file based on all logged problems, but not a diff, and I had already lost some of the early logs to logrotate n=4 by the time I realized I needed &#x27;em.<p>111 lines of perl and 116 lines of SELinux rules later, I was in good shape. But REALLY? REALLY?

It&#x27;s worth noting that Android is using SELinux in recent versions for system hardening and as part of the sandboxing model.<p>See: <a href="https:&#x2F;&#x2F;source.android.com&#x2F;security&#x2F;selinux&#x2F;" rel="nofollow">https:&#x2F;&#x2F;source.android.com&#x2F;security&#x2F;selinux&#x2F;</a><p>While I agree usability is suboptimal on servers, there are definitely environments it can excel in.

Russell Coker has done some work on SELinux. He&#x27;s had a Linux box online since 2008 or so that users may ssh into as root. It&#x27;s really amazing to see what SELinux can do. However, I agree that OpenBSD&#x27;s focus on small and simple is the better approach.<p><a href="https:&#x2F;&#x2F;www.coker.com.au&#x2F;selinux&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.coker.com.au&#x2F;selinux&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.coker.com.au&#x2F;selinux&#x2F;play.html" rel="nofollow">https:&#x2F;&#x2F;www.coker.com.au&#x2F;selinux&#x2F;play.html</a>

Leaving selinux on would be more easy if the access denials were put in the primary system log and&#x2F;or in dmesg and did not just go in the audit log. It takes too long to figure out what the problem is with selinux. That being said we leave it on in production, since with ansible we find the problem once and then incorporate the changes into our playbooks.<p>I&#x27;ve used both apparmor and selinux and while it was pretty easy to figure out how to write a custom profile for apparmor, it&#x27;s not easy to do the same for selinux. If a custom profile for selinux could be made as easy to write, that would help a lot.

For desktop Linux, SELinux is indeed difficult to use on a day-to-day basis. To the point that there&#x27;s no way I&#x27;d consider using it.<p>However, it is working great for Android. Where all apps are already sandboxed, and you don&#x27;t have to worry about the user installing some app that will use a new system call, or try to touch random files on the system.

When SELinux first came out I was working as a training instructor for RH. Every single knowledgable sysadmin was kicked in the teeth by &#x27;avc denied&#x27;, one of the dumbest error messages to ever be created in Unix.<p>&#x27;avc&#x27; was Access Vector Cache. The Access Vector Cache was a component of SELinux. AVC denied meant selinux was denying access. But instead of printing &#x27;selinux denied&#x27; - you know, like smb messages are for samba, and postfix messages are for postfix - the SELinux folks seemingly just wanted their audience to do a web search for &#x27;avc denied&#x27;.<p>It&#x27;s a small picky thing, but rather than one person fix something, they made every admin do a piece of research instead.<p>This is a pity: SELinux is one of the things that fixes the peering (aka &#x27;Containers don&#x27;t contain&#x27;) issue with Docker.

May I disagree partially, using this authors exact words?<p>&quot;... Unless you are a high risk target, spending almost any time beating SELinux into shape on your machine is a bad tradeoff and pretty much a waste ...&quot; -- <a href="https:&#x2F;&#x2F;utcc.utoronto.ca&#x2F;~cks&#x2F;space&#x2F;blog&#x2F;linux&#x2F;SELinuxToxicMistake" rel="nofollow">https:&#x2F;&#x2F;utcc.utoronto.ca&#x2F;~cks&#x2F;space&#x2F;blog&#x2F;linux&#x2F;SELinuxToxicM...</a><p>If you are a high risk target, SELinux is a great option.<p>Also, to refer to the partial disagreement, here is my exact feeling...<p>&quot;I&#x27;m a security aware sysadmin and yet yesterday I casually admitted that I made less-secure choices because the really secure option was too annoying and potentially inconvenient. In fact this is not the only case where I make this tradeoff, picking a less secure but more convenient option...&quot; -- <a href="https:&#x2F;&#x2F;utcc.utoronto.ca&#x2F;~cks&#x2F;space&#x2F;blog&#x2F;tech&#x2F;SecurityNotImportant" rel="nofollow">https:&#x2F;&#x2F;utcc.utoronto.ca&#x2F;~cks&#x2F;space&#x2F;blog&#x2F;tech&#x2F;SecurityNotImp...</a>

SELinux worked and worked well <i>when you knew how to use it</i>. (Learning how to use it was also reasonably hard.) Its primary problem was that its default behavior was stuff mysteriously failing on your system. This made it very hard for the uninitiated to get into it when stuff all over the web just recommended &quot;turn off SELinux&quot; as the first thing to do when something wasn&#x27;t working right.<p>It got a bad reputation as that quirky security thing that keeps stuff from working all the time.

I confess to disabling SELinux being one of the first things I always do on a new Linux box. It gets in the fucking way. A lot.

Configuring SELinux reminded me of configuring email. My god, can simple systems be made more complex than this? I mean it&#x27;s email and yet you have to really struggle with 100s of options to make sense of it all (and you do know sendmail has no public repo with a proper revision history right?).<p>Apparmor, in contrast, is much easier to use (granted it has it&#x27;s warts) but atleast they are trying to be user friendly instead of mathematically complete.<p>&#x2F;rant

I&#x27;m sure it&#x27;s not intentional, but the author spends quite a lot of time telling me that the SELinux folks aren&#x27;t listening or learning what the real issues are in security, but try as I might I all his links to his blog posts he doesn&#x27;t actually state what they are!<p>What are the key issues that SELinux needs to address?

Complexity is evil in security, and opt-in security generally doesn&#x27;t work. SELinux is both complex and opt-in.

SELinux is still nice for hardening a safety critical server.<p>But configuring it sure isn&#x27;t fun.

The post succeeds at saying nothing concrete about actual deficiencies in SELinux beyond &quot;it gets in the way&quot;. Yes of course it does. That&#x27;s what locked down systems do even if it&#x27;s only to shoulder the blame for breaches on admins who disabled protections.

SELinux is not not worth saving because security has been moving steadily into namespace separation (E.g., containers, virtual machines).<p>Giving an application&#x2F;user and entire trimmed down OS namespace reduces damage done from getting pwned significantly. Why use a system that protects processes from running alongside each other when I can just give them their own, fenced-in home?

The article (and the comments here) encouraged me install SELinux on one of my (Debian) VMs to see how it goes, and I&#x27;m now wondering why I didn&#x27;t try it earlier.

If you are a security purist, why aren&#x27;t you using grsec &#x2F; pax &#x2F; rbac in the first place? The general totem pole is grsec rbac is king &gt; Apparmor is a destitute wannabe hacked together disaster that is still more usable than SELinux &gt; Archlinux doesn&#x27;t give a shit while Red Hat is off doing their own thing with SELinux with the NSA and Google.

Do people see this as something though which should be or needs to be replaced or is this just a it&#x27;s dead? If the first, are there any projects I could contribute to or is a new project needed?

What to use instead of SE Linux?

While I have nothing against SELinux, I feel that modern solutions using containers have made it almost irrelivant.<p>And now some SE supporters are fighting back in the dirtiest way possible. <a href="https:&#x2F;&#x2F;opensource.com&#x2F;business&#x2F;14&#x2F;7&#x2F;docker-security-selinux" rel="nofollow">https:&#x2F;&#x2F;opensource.com&#x2F;business&#x2F;14&#x2F;7&#x2F;docker-security-selinux</a> Mr. Walsh makes all sorts of claims about things, such as devices, which are never exposed to the container, not being namespaced. It is very bad when someone who is respected and has qualifications goes and spreads lies and insinuations, just because their product is no longer relevant.

And this kind of crap is why I use Windows.

If he calls himself a security aware sysadmin but he is somehow breaking his own beliefs for productivity&#x2F;delivery reasons, I don&#x27;t see much of an interest.<p>Let him rant all he wants on his blog. Back to work.