this post was submitted on 25 Mar 2025
37 points (87.8% liked)

Linux

52309 readers
1055 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
37
Why do we hate SELinux? (lemmy.dbzer0.com)
submitted 15 hours ago by marauding_gibberish142@lemmy.dbzer0.com to c/linux@lemmy.ml
35 comments fedilink hide all child comments
 

This is not a troll post. I'm genuinely confused as to why SELinux gets so much of hate. I have to say, I feel that it's a fairly robust system. The times when I had issues with it, I created a custom policy in the relevant directory and things were fixed. Maybe a couple of modules here and there at the most. It took me about 15 minutes max to figure out what permissions were being blocked and copy the commands from. Red Hat's guide.

So yeah, why do we hate SELinux?

all 36 comments
sorted by: hot top controversial new old
[–] timbuck2themoon@sh.itjust.works 2 points 3 hours ago (1 children)

I think it depends who you ask.

As a linux admin, I don't mind it and actually really appreciate it. It's a robust system like you said and though a bit persnickety on resolving things, does its job well.

As a home user, I find that mostly you shouldn't know it ever exists anyhow. The one time you might would be podman volume issues (when you forget or don't know to append a z/Z) or when you're doing something odd. I can see how some would dislike it in that case.

But in any case I fully recommend running it and just learning how to use it. Kind of like IPv6. It's misunderstood, too often disabled, and should be more widespread. They both are really improvements to what came before. Just technology that takes a little more time to learn is all.

Here is a helpful video explaining it- https://youtu.be/_WOKRaM-HI4

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 2 hours ago

SRE here and I agree with you. I'm basically a glorified Linux admin lol

[–] deadcatbounce@reddthat.com 2 points 4 hours ago

For many years I installed Fedora from scratch (almost as if my PC was a Linux container and then added a kernel setup) to be exactly as I wanted it no cruft, no bloat. I did that with other distros as well, Debian didn't recommend SELinux.

Last year I installed it from scratch using the installer and that included SELinux. With changes in SELinux policy, I found an installed flatpak which successive iterations didn't like SELinux or tried to operate outside it. Fixing it was easy but I didn't do so until I understood why it was violating.

I had unknowingly subscribed to the FUD about SELinux, I doesn't get in my way. Maybe I'm not as elite as I thought I was!

[–] unhrpetby@sh.itjust.works 20 points 12 hours ago* (last edited 11 hours ago) (3 children)

Security is much more effective and adopted when it is simple. My understanding is that SELinux is not.

This means not only will fewer people use it and more people turn it off if something doesn't work, it means more people are at risk of misconfiguring their system to allow something they didn't intend to.

This is somewhat mitigated from the fact that, from my experience, Linux Security Modules cant ever make you less secure than without it. But it still can provide a false sense of security if you misconfigure it.

Here is a good article showing what I am referring to, and providing a solid security tool: BSD pledge/unveil on Linux.

[–] marauding_gibberish142@lemmy.dbzer0.com 3 points 7 hours ago

I think this is where the confusion happens.

I use SELinux at my job. I admit that I'm not a Linux expert, neither am I an SELinux guru. The only interaction I have with SELinux is:

  • Oh, my app keeps dying even after I chown the relevant directories.
  • Looks at SELinux AVCs
  • Creates new policy and puts in the home directory for the application - example: I just did it for HAProxy this week.
  • If I fucked something up and I know the other apps have their policy modules in their place, I just do a restorecon and spend 5 minutes going through the policies whilst reprimanding myself for my stupidity.

I'm being honest that is literally what's it's been like to use SELinux. For context, AppArmour is exactly the same situation but now I need to edit a file (I can be lazy and keep appending rules to it but that will bite me later). If we're going down the path of SELinux being complex for daily usage, then all MAC has the same problem.

I admit that I would find it daunting to do this for a desktop environment. It's there that I want a pre-configured SELinux policy OOTB. On servers though? It's not a big deal for me.

Or maybe I missed something.

[–] socsa@piefed.social 2 points 7 hours ago

SELinux isn't really meant to be a user space "utility," for lack of a better term. It's meant to be an expert focused security framework for those with the expertise to both understand and implement robust security policies. Your average user daily driving Linux or even running a few self hosted services doesn't really need complex security policies, and is definitely better served by some simpler tools.

[–] MonkderVierte@lemmy.ml 2 points 9 hours ago

Yep. Android modding prior to Magisk and Google overcomplicating things was the first step "selinux permissive".

[–] Quazatron@lemmy.world 24 points 12 hours ago (1 children)

I don't hate it, I know that it adds a lot of security to a system, it's just that it's not user friendly and it can sometimes leave you scratching your head wondering what the hell happened.

[–] marauding_gibberish142@lemmy.dbzer0.com 3 points 7 hours ago* (last edited 7 hours ago) (1 children)

To be honest I had the exact same situation with AppArmor, and since then I have grown to like MAC. I know they're doing it to keep me safe so I don't complain. Honestly if people find MAC to be a hassle they should also in theory find file permissions and ACLs a hassle

[–] timbuck2themoon@sh.itjust.works 1 points 3 hours ago

Oh the people who dislike MAC probably do dislike file permissions too, ha. chmod -R 777 somedir and such.

[–] digdilem@lemmy.ml 44 points 14 hours ago* (last edited 14 hours ago) (4 children)

I have a saying, "If it's not DNS, then it's Selinux". It blocks stuff so frequently it's a major time sink for us.

It is overly complex and difficult to understand, especially if you're developing and deploying software that does not have correct pre-rolled policies. A regular job for me is to help developers solve this - which generally means running their service, seeing what Selinux blocks on, and then applying a fix. Repeat 2-8 times until every way Selinux is trying to access a file is explicitly allowed. And sometimes, even software that comes via official repos has buggy selinux policies that break things.

Fortunately, there are tools to help you. Install setroubleshooter amd when something doesn't work, "grep seal /var/log/messages" and if it's selinux causing the problem, you'll find instructions showing you what went wrong and how to create an exception. I absolutely consider this tool essential when using any system with selinux enabled.

[–] med@sh.itjust.works 1 points 4 hours ago

Is it not possible to run it in audit mode in dev and have it tell you what the would have blocked?

[–] marauding_gibberish142@lemmy.dbzer0.com 3 points 6 hours ago (1 children)

Exactly. I use setroubleshoot myself and it's awesome.

I agree that creating custom policies for a bunch of apps day in day out will be tiring. But that is an argument against all MAC. I personally don't want to see Linux going the way of abandoning MAC

[–] teawrecks@sopuli.xyz 2 points 3 hours ago

How do you know when you're letting through a valid access, an unnecessary one that could be a vulnerability, and an actively malicious one?

I don't think anyone is saying throw out all access control, they're just saying SELinux adds too much unproductive friction for everyday usage. You said it takes 15m to troubleshoot. But that's not a one time thing, that's 15m that scales with the amount of new programs and updates you're running. And 90% of people aren't even going to be able to tell they're looking at a malicious access if they're in the habit of always working around blocks that show up.

[–] kylian0087@lemmy.dbzer0.com 6 points 14 hours ago

Thanks for the tip! Never heard of setroubleshooter tbh.

[–] laurelraven@lemmy.zip 10 points 13 hours ago (1 children)

For me it's not so much hate as just not really having experience with it, so most of the time if it causes an issue I either just find a command that sets the policy correctly, or more likely disable it.

I should spend some time figuring it out, but it's just one more seemingly esoteric and arcane system that feels at first like it merely exists to get in my way, like systemd, and I'm left wondering do I really need this headache, and what is it really giving me anyway?

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 7 hours ago

Do you feel that way about all MAC or just SELinux? AppArmour is similarly arcane when you're in the zone configuring your application. TBH RedHat has troubleshooting instructions in their docs, I just Copts paste and edit as necessary and it doesn't take that long. I guess I just spent more time at it

[–] redxef@feddit.org 6 points 12 hours ago* (last edited 11 hours ago) (2 children)

Docker container can't read a bind mount. Permission issue? No, it's SELinux, again. And I didn't even install it explicitly, it just got pulled in by another package.

And to be clear, the issue isn't SELinux really, but ~~unexpected~~ non standard behaviour which I never asked for (never explicitly installed it).

[–] lukecooperatus@lemmy.ml 7 points 10 hours ago

Isn't that trivially simple to address though? Just add :z to the end of the mount value string, and restart the container.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 7 hours ago

SELinux is installed by default on RHEL derivatives like AppArmour is on Debian derivatives. Sure maybe it's annoying to see a package you didn't download explicitly but I still don't see why it's a big deal. I guess having to delve into SELinux in the middle of configuring another app will cause some pain

[–] kia@lemmy.ca 14 points 15 hours ago (1 children)

If you've used something like AppArmor, you'll see how SELinux is overly complex.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 6 hours ago

I have and I've been left scratching my head both times. AppArmour just deals with files whilst SELinux has contexts - that's the only operational difference I've needed to notice. I create custom policies and am on my way.

[–] catloaf@lemm.ee 12 points 15 hours ago (1 children)

Generally, we don't. I can count on one hand the number of times I've had to mess with it. Two times I had to use restorecon, and two times I had to loosen permissions for an HTTP server. Literally everything else has worked without issue.

I know some people love to bitch and moan about it, but honestly I have to ask what they're doing, because I've had zero non-trivial problems.

[–] lelgenio@lemmy.ml 8 points 15 hours ago (1 children)

The only thing I know about SELinux is that the NSA made it, and that you need to add :z to docker volumes to fix permissions.

[–] remotelove@lemmy.ca -1 points 14 hours ago (2 children)

setenforce 0 is much cleaner, I have found.

[–] deadbeef79000@lemmy.nz 1 points 11 hours ago

They my go to to quickly triage a problem being caused by SEL or not.

[–] oldfart@lemm.ee 0 points 12 hours ago

A mandatory part at the beginning of every Ansible playbook!

[–] Shimitar@downonthestreet.eu 3 points 15 hours ago (2 children)

Its just complex.

I hate it for my Android device maintainer role much more than my Linux admin role...

On Android, its a fucking mess between vendor stuff and system stuff. But not for selinux itself, but for the mess that vendors often do.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 6 hours ago

Yeah I think it's a much bigger pain on Android

[–] remotelove@lemmy.ca 5 points 14 hours ago* (last edited 13 hours ago) (1 children)

Its just complex

When a security mechanism becomes more complex to manage than what it is supposed to protect, it becomes a vulnerability itself.

If you had a minimal system that you built from the ground up yourself and wanted to only have that system function in very specific ways, SELinux would be perfect. I would go so far as to say it would be nearing perfection in some ways.

Sorry, but in the real world, ain't nobody got time for that shit. If you use auto configuration tools or pre-canned configs for SELinux on a system you are unfamiliar with, it's more likely to cause application issues, create security gaps and will likely be shut off by a Jr. admin who really has no fucking clue what he is doing anyway.

It's just easier to keep your system patched and ensure basic network security practices anyway.

It's not impossible to manage these days. In the early days it was, but most everything is automagic now. If I am not mistaken, SELinux can be enabled to 'log only' which would give you data better handled by a HIPS anyway. (Don't quote me on that.)

[–] Shimitar@downonthestreet.eu 1 points 13 hours ago (1 children)

I fully agree with you...

[–] remotelove@lemmy.ca 1 points 13 hours ago* (last edited 13 hours ago)

Sorry if it sounded like my rant was directed at you as it absolutely wasn't. Your comment triggered me, because I absolutely fully agreed with yours as well. ;)

[–] just_another_person@lemmy.world 3 points 15 hours ago

I think hate is a strong word. It can be a pain when admin'ing machines that get a rule introduced that breaks something that previously worked, but I think most people never even realize it's there.

[–] ComradeRachel@lemmy.blahaj.zone 3 points 15 hours ago

openSUSE tumbleweed changed to using it and I think it works well.