SELinux should be EASY TO USE. Right now, it is not. It is an unmitigated disaster. Every time I install a new system, I hope and pray that things have gotten better. I try. I follow the directions. I work with the denials to try to figure out what the problem is. I read. I search on the net. And EVERY SINGLE TIME I END UP BEING FRUSTRATED AND TURN SELINUX OFF.

Total, utter disaster of a package.

Don’t make me, the naive user, learn some new arcane mechanisms. Don’t make me learn new arcane syntax (WTF is xxx:yyy:zzz:aaa? What’s the difference between a source and target context? What is a context? How am I supposed to know if program XYZ is supposed to have access to some file or resource?) Don’t give me inaccurate or incomplete instructions on how to fix the problem. Don’t make me click three times to delete an alert. Don’t make gratuitous changes to tried-and-true GUI mechanisms. Don’t make me spend cycles doing stuff that should JUST WORK.

Oh, and “click icon to view”. You have NO IDEA how many times I clicked THE ICON IN THAT ALERT, and it did nothing? Why don’t you say, CLICK THE ICON IN THE SYSTEM TRAY?

Total, unmitigated disaster. This is not even beta test grade software. It should be removed from Fedora.

P.S: i agree if i was working for CIA or NSA some extra layer of security would be
benefitial. And i would propably dedicate a year to learn SELinux by heart, while my salary payed by taxpayers. But right now we need to do things we used to do, and we not gonna do any efforts if they take more than 5 minutes to fix.
If we see problem - we eliminate it, we not trying to figure out how we can live with it.

Now that I think about it, that likely will responded with “SE Linux is open source and someone would have found that in the code by now.”

To respond to that, many vulnerabilities in apache and sql injection attacks memory block vulnerabilities to allow access to the server. I do not know the SE Linux code well enough to readily see if the NSA built corruptions into the code to allow injection attacks or force memory overruns. No one has had to time to see if these attacks can become a reality. I just find it real suspect that everyone jumped on the SELinux bandwagon all at the same time. Novell has left that game and our Novell reps here site the same issues with me that I have brought up here.

I expect Novell knows what it is doing, therefore, I side with paranoia, SE Linux is gone.

Now I deployed Linux here at my company and first order of business, disable SELinux. In some cases, remove the offender code and recompile the kernel.

I do agree with author saying applications should be made to work with SELinux, but that is the vendor’s or the developer’s problem. Not mine. I have to keep servers up to make this company money.

On a personal note, I do not like SELinux and feel the government has no business in assisting securing servers I am responsible for. I do plan to load backdoor loaded government applications so they can get in whenever they wish. Some of my development staff tells me SELinux is worse than viruses coming from China.

Take this for what it’s worth.

I saw your email for seLinux mailing list, and I hope I could get a reply on my issue here.

Well, I’m a Telco implementation engineer, and installing some Telco services on seLinux system, the full system name is as below:

Linux 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux

After installing the service, and now it’s up and running well, we are at auto stop/start step, so once the machine got rebooted or shutdown, the service will stop and start automatically, but after going through this process, while shutting down the machine and starting up, we got in the boot log the follow:

Apr 30 17:10:13 : Starting VSMS server–>
Apr 30 17:10:13 VSMS: Do you want to choose a different one? [n]

And it always stuck at that point.

I was wondering, does this issue related to the seLinux setting, shall I disable it or as I read in some forums, that changing the policy type parameter ” SELINUXTYPE ” from targeted to strict.

Kindly, may you advise me on that, and if this was the problem and setting has been changed, would this affect the system.

Your fast response is highly appreciate it.

All regards,
Ala’eddin

“The fact is that SELinux is a disruptive technology. There will always be people who fight against disruptive technologies, people who like things the way they are and see no need to change.”

While being just a quote from the overall conclusion, this pretty much gathers the unfortunate route any disruptive technology must face. I would here even overstate Tonyc’s comment; the more disruptive the technology, the more detailed and vivid the documentation must be.

In any case, what made me to write this comment, is the unfortunate antagonism towards new security technology, which is surprising, given the field where it is applied.

And I have seen several instances where a similar recommendation has been given by people involved in the same unnamed distribution as you, albeit not in the same subfield - again very unfortunate and indeed surprising general attitude.

This is not hard to fix without disabling SELinux altogether but some vendors choose to put you at risk rather than do 5 minutes of research.

Perhaps if you had listed what those steps were on this blog, I (and others) would have found the answer I was looking for. Instead, I found a semi-rant on stupid, lazy companies

A quick web search for “disable selinux” shows many companies (and even opensource projects) which list disabling SELinux as the “solution” to their malfunctioning software. That list includes: VMWare, Novell, Brother printers, Oracle, Sun, @Mail, Positive Software, Zend (PHP), Subversion, … the list goes on.

If that many large companies are recommending that selinux be disabled, to me this means that either selinux is useless (very untrue), or that they can’t find the information they need. Since you work in this field, it is obvious to you what should be done, just as it is obvious to a race car mechanic what that ticking sound means in a Formula 1 race car.

However you might look around, and read some Latin - “timeo Danaos et dona ferentes”! If I cannot dig through all kernel sources in order to be sure that all NSA code is out, I can at least try to disable it.