Stop Disabling SELinux: A Real-World Guide

&gt; Jan 31 10:48:54 server audit[16067]: AVC avc: denied { name_connect } for pid=16067 comm=&quot;nginx&quot; dest=8000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket permissive=0<p>I think one reason security programs are sometime ineffective and end up being disabled is that they give problems to developers and sysadmin but no solutions.<p>I wish that rather than messages like &quot;doesn&#x27;t work - too bad&quot;, these programs would output a solution as well, such as &quot;consider setting `httpd_can_network_connect` to `true` to allow it&quot;.<p>In some cases it might be tricky to propose a solution, in which case even a link to the doc would be useful like &quot;check <a href="http:&#x2F;&#x2F;example.com&#x2F;doc#456" rel="nofollow">http:&#x2F;&#x2F;example.com&#x2F;doc#456</a> for more information&quot;. That would go a long way towards making security software issues less of a pain for those who aren&#x27;t expert in the topic.

I ran a centos server for a while (ran= not my responsibility any longer) with SE Linux and a tomcat portal app, as well as other, custom web apps (ruby on rails with a mail queue and mysql backend, etc). I always left it in permissive, because I couldn&#x27;t figure out how to properly configure it.<p>I tried understanding the principles behind it and configuring the different exceptions for several classes, but often, this didn&#x27;t work (e.g. I had used wrong class, or enabled exceptions that were still blocked). The users of the rails app kept calling, asking me why this or that feature wouldn&#x27;t work. It was impossible for me to configure all exceptions - to me this was not surprising, given the complexity of the software that we had installed. I simply deemed the apps too complex and too &quot;feature rich&quot; to configure all SELinux exceptions manually.<p>I then understood that there is a different way: To set it to permissive, keep it running for a while and then generate an installable permissions profile, allowing all occured violations as some kind of permissable exceptions.<p>This made sense to me, however it required downloading some dubious python script, that would create some dubious binary file. I got this to work, but then again, this or that feature was blocked. I finally kept it running on permissive. This is my individual story. The article makes it look as if it was really simple to configure it (When I started with SE I tried similar moves but never got it to work).<p>So, is it just me, or might it be that SELinux just has a major usability issue?

The problem with SELinux is that it&#x27;s disabled by default on many distros. If you follow guides online that weren&#x27;t written for a SELinux-enabled Linux install then it won&#x27;t work.<p>To make matters worse SELinux-related errors can be pretty arcane if you don&#x27;t know what&#x27;s going on. I&#x27;m usually a FreeBSD guy but I had to setup a CentOS 7 box a little while ago. I thought I was going insane when I couldn&#x27;t get nginx to connect to a unix domain socket. After a hour of hair pulling and non-conclusive googling I finally understood that it was SELinux related.<p>I will admit that after that I simply disabled SELinux and never looked back. The benefits didn&#x27;t seem worth the hassle to me.<p>If I want additional security and sandboxing I&#x27;d sooner use something like FreeBSD&#x2F;solaris jails. It&#x27;s not exactly the same thing of course but I find the mental model a lot simpler (&quot;a machine within a machine&quot;) than SELinux&#x27;s complicated and (IMO) hard-to-debug rules.

The Gentoo wiki has an extensive and really good set of tutorials[0] on SELinux. It took me some time to get through those but it greatly increased my ability to work with SELinux. It does a good job of explaining the concepts themselves and help build some familiarity with the CLI utilities and especially the debugging capabilities.<p>[0]: <a href="https:&#x2F;&#x2F;wiki.gentoo.org&#x2F;wiki&#x2F;SELinux" rel="nofollow">https:&#x2F;&#x2F;wiki.gentoo.org&#x2F;wiki&#x2F;SELinux</a>

Frankly I found SELinux a little inscrutable and not worth the trouble of learning since I didn&#x27;t use it at work, despite otherwise being someone who is up for self-education on anything new and interesting.<p>However the Redhat certified admin and engineer classes cover it with enough practical examples to make any SA functional with the tool. And as a former consultant learning anything people <i>consider</i> difficult whether or not it really is can be profitable. :-)

I never disable SELinux... but that is because it was never enabled. I use Debian and SELinux has never been on by default and if it were good enough it would have been. There is a reason it was never enabled.

I&#x27;ve been using SELinux in my Fedora the last 3 years, always on enforcing mode.<p>No major problems, just minor policy changes needed that the helper was already suggesting and that were easily fixed.<p>With the only exception that SELinux does not like my iPhone.

At my last gig we enabled SELinux as part of our PCI security procedures, I highly recommend it but be aware that there is a fairly big ramp up.<p>It pretty much doubles the effort for most sysadmin tasks, even simple things like tweaking a server setting become multi-step processes.<p>In my case, it was part of the reason I switched the team from DevOps only and brought in a real sysadmin.

I think one of the reason why people disable AppArmor&#x2F;SELinux is due to bad experience spending hours trying to figure out why their service fails to run after a config update only to realize it was blocked by AppArmor&#x2F;SELinux. They&#x27;ll just disable it and says &quot;good riddance&quot;.<p>If you&#x27;re running a headless server and can&#x27;t figure out why your service suddenly can&#x27;t start after a seemingly simple configuration updates (changing port, changing data directory path, etc), be sure to check AppArmor (Ubuntu) or SELinux (Red Hat distros) logs first.

Just my experience: Ever since it came enabled by default on fedora I&#x27;ve been using it in Permissive mode ie: don&#x27;t enforce but notify about violations. IIRC, since the last couple of releases I&#x27;ve seen maybe a couple or so notifications, so the default set of rules out of the box on fedora are definitely much better now than they used to be.<p>I might just turn it to enforcing mode.

Some distro (Mandrake? Debian? This was a while ago) had a bad default SELinux setup <i>for years</i> that introduced a subtle vulnerability that wasn&#x27;t there in boxes that had SELinux disabled.<p>Knobs that can be tweaked can be tweaked wrong, and wrongly-tweaked knobs are security problems. Frankly I don&#x27;t even like ACLs and capabilities for that exact reason: it&#x27;s no longer immediately obvious what the actual permissions in a situation are (&quot;let&#x27;s see, the daemon is running in an unprivileged account, but it has CAP_SYS_ADMIN set, and this file is inheriting its ACLs from the parent dir...&quot;). Making it more difficult to reason about security is generally a Bad Thing, and not worth whatever features that difficulty brings with it.

I want to, but this article was not enough. Say I have my own binary running as a service, and it has to do these things. What do I do? This article seems to be geared specifically towards nginx&#x2F;a httpd.<p>I should probably just read the manpages.

OpenSUSE as well as Arch, Debian and Ubuntu uses apparmor and I never had a problem where I had to disable it.<p>apparmor is less complex but SELinux can be fine tuned at the cost of pulling out your hair with what security gain? The BIG ISSUE is the KERNEL SELinux and apparmor have the same policy with Linux Kernel aka both of them can be bypassed and a hacker can just focus on the Kernel.

Hours I&#x27;ve spent dealing with security breeches (on Linux) - a few, false alarms.<p>Hours I&#x27;ve spent dicking with selinux - too many before disabling it.<p>OTOH I&#x27;ve been admining *nix from before Linux existed.

Why should I not use GRSecurity?<p>Comparison matrix;<p><a href="https:&#x2F;&#x2F;grsecurity.net&#x2F;compare.php" rel="nofollow">https:&#x2F;&#x2F;grsecurity.net&#x2F;compare.php</a>

some things need a change to not NEED selinux. For example, lots of password files and certificates should not be stored in directories and files (and mucked about in selinux). They are better off in the Gnome-keyring (which is severely underutilized)<p>for example - networkmanager-openvpn. Openvpn certfiles are usually shared by vpn providers and then when trying to load them, throws selinux errors.<p>Here&#x27;s the bounty to fix it - <a href="https:&#x2F;&#x2F;www.bountysource.com&#x2F;issues&#x2F;41582244-doesn-t-copy-referenced-certitifcate" rel="nofollow">https:&#x2F;&#x2F;www.bountysource.com&#x2F;issues&#x2F;41582244-doesn-t-copy-re...</a>

selinux is enabled by default on Android (since 5.0 or so) and if I recall correctly, is required for google to certify an Android device.<p>IMO it definitely reduces privilege escalation attacks there. I wonder if Apple uses similar MAC system on iOS?<p>Also, it is usually transparent for user app developers but can cause a bit of headache for platform&#x2F;system devs.<p>I just literally spent a day on an issue where android system service checks selinux permission but does not audit the denial (= no error in logs) under certain conditions. That was not a problem with selinux per se, but disabling selinux would &quot;solve&quot; the problem.

The problem is that I never had local users that might be malicious or that were prone to be hacked.<p>The attacks for servers tend to be over the network and there are many different ways to mitigate those.

Not one mention of dontaudit rules. The day I found out about them (years ago when I tried to use selinux in the &quot;real world&quot;), I said nope.

If system administration was carpentry, SELinux would be the glue. And sometimes, it&#x27;s just easier to use screws.

I&#x27;ll stop disabling selinux when I have a problem that it solves.

how does app armor compare to selinux?

So, this is a guide about how you can configure a broken out-of-the-box security framework, trying to convince me to enable it?<p>Thanks, but I&#x27;d rather start from something that works, and build adding security from there, not viceversa.

It brought shame everytime I need to config new production server, first thing I did was change to pemissive mode

I call BS. I have 0 use for it. I wouldn&#x27;t disable it as a matter of best practice, but it&#x27;s too annoying.

I will continue to disable SELinux, and no number of arcane articles about how EASY it is will convince me otherwise.<p>Stick that in your pipe and smoke it.

No Thanks! Given the never ending list of revelations Redhat&#x27;s deep ties to the US security industry and the NSA are problematic. Why should anyone not already a part of the government security industry trust selinux?<p>By not coming out openly and explicitly criticizing the US security services for their anti constitutional and blatant authoritarianism Redhat has demonstrated which side it is on. It has no qualms enabling and supporting this behavior and is not a principled member of the free software movement. Something for which it has yet to be held to account.<p>Given the movement against Trump is exactly against this kind of authoritarianism the lack of scrutiny of tech companies like Redhat, Palantir and others is hypocritical. By not speaking out you are supporting these actions.<p>The fact that it is an absolute pain to configure and representative of a user hostile software model makes it that much more easy to avoid even for those with more practical considerations.