Look, SELinux strives to make things better, we all get it. But as the previous commentors stated, it’s just too damn clunky and complicated to get real traction with many overloaded sysadmins that have lots machines to configure and monitor and not enough time to dick around with shotty docs. Unfortunately, SELinux seems to be having the opposite of its intended effect since it ultimately contributes to insecure practices by making security too time-consuming to implement in the real world. Additionally, complicated workflows tend to invite additional problems by increasing the number of mistakes that admins make. For security packages, it’s often true that complexity=insecurity. Anyhow, that’s my two cents.

Better docs, real-world cookbook sites with user feedback, and a complete overhaul of the configuration workflow would really help quell the rebellion against SELinux.

Anybody found any sites to help?

At our company, we run all our servers with SELinux enabled and enforcing, and except for the first few times, writing policy modules for misbehaving applications has been mostly a no-brainer.

I’m a big fan of the principle of least privilege, and SELinux allows me to implement this in a granular way to protect our valuable systems and the information they contain from malicious entities on the network.

And to those that demand that SELinux should be removed from Fedora/CentOS/RHEL, I’d say In Your Dreams. SELinux is a critical part of what got RHEL5 the EAL4 certificate so that they can sell RHEL5 to government entities that require advanced security mechanisms.

There are valid points put forth by some posters though. Documentation could surely be much better, as I have found it sorely lacking. But since my employers take security very seriously (having been the victim of an intrusion seems to have that effect), I have been allowed to spend the time to figure it out, and nowadays I write custom policy modules with few issues.

I truly urge people to do as I do and rm -rf /etc/selinux

recompile a custom kernel with all hints of selinux disabled (that is till red hat wannabes taint even the kernel source by making it not compile with out their rubbish enabled).

I’m happy to admin on the command line and I in fact do so all day long, but I simply do not have time to “debug” 3 or more services per machine in our network.

Finally, any service that demands a reboot to reconfigure is so fscking out of bounds that I want nothing to do with it. I don’t sit around and develop libs. I have to maintain 100% uptime in a real world situation, because out here, where we pay taxes (not collect them), TIME is MONEY.

I spend a lot of time on security and let me share an (again) *real-world* truism with you: security mechanisms need to be usable, because if they aren’t, THEY DON’T GET USED. The real art of security is putting in place policies and systems that your user-base can live with on a daily basis.

OK, now I reboot and PRAY I’m not facing a trip to the colo.

SELinux should be EASY TO USE. Right now, it is not. It is an unmitigated disaster. Every time I install a new system, I hope and pray that things have gotten better. I try. I follow the directions. I work with the denials to try to figure out what the problem is. I read. I search on the net. And EVERY SINGLE TIME I END UP BEING FRUSTRATED AND TURN SELINUX OFF.

Total, utter disaster of a package.

Don’t make me, the naive user, learn some new arcane mechanisms. Don’t make me learn new arcane syntax (WTF is xxx:yyy:zzz:aaa? What’s the difference between a source and target context? What is a context? How am I supposed to know if program XYZ is supposed to have access to some file or resource?) Don’t give me inaccurate or incomplete instructions on how to fix the problem. Don’t make me click three times to delete an alert. Don’t make gratuitous changes to tried-and-true GUI mechanisms. Don’t make me spend cycles doing stuff that should JUST WORK.

Oh, and “click icon to view”. You have NO IDEA how many times I clicked THE ICON IN THAT ALERT, and it did nothing? Why don’t you say, CLICK THE ICON IN THE SYSTEM TRAY?

Total, unmitigated disaster. This is not even beta test grade software. It should be removed from Fedora.

P.S: i agree if i was working for CIA or NSA some extra layer of security would be
benefitial. And i would propably dedicate a year to learn SELinux by heart, while my salary payed by taxpayers. But right now we need to do things we used to do, and we not gonna do any efforts if they take more than 5 minutes to fix.
If we see problem – we eliminate it, we not trying to figure out how we can live with it.

Now that I think about it, that likely will responded with “SE Linux is open source and someone would have found that in the code by now.”

To respond to that, many vulnerabilities in apache and sql injection attacks memory block vulnerabilities to allow access to the server. I do not know the SE Linux code well enough to readily see if the NSA built corruptions into the code to allow injection attacks or force memory overruns. No one has had to time to see if these attacks can become a reality. I just find it real suspect that everyone jumped on the SELinux bandwagon all at the same time. Novell has left that game and our Novell reps here site the same issues with me that I have brought up here.

I expect Novell knows what it is doing, therefore, I side with paranoia, SE Linux is gone.

Now I deployed Linux here at my company and first order of business, disable SELinux. In some cases, remove the offender code and recompile the kernel.

I do agree with author saying applications should be made to work with SELinux, but that is the vendor’s or the developer’s problem. Not mine. I have to keep servers up to make this company money.

On a personal note, I do not like SELinux and feel the government has no business in assisting securing servers I am responsible for. I do plan to load backdoor loaded government applications so they can get in whenever they wish. Some of my development staff tells me SELinux is worse than viruses coming from China.

Take this for what it’s worth.