Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I’m using Fedora in enforcing mode, and so are probably most Fedora users. SELinux is usually completely transparent on desktop[1]. Of course it can sometimes cause some issues you might be unprepared for.

The most recent one I can remember was configuring Postfix to perform local delivery to ~/.local-mail/inbox. I had to manually change security context for that directory. Or linking /var/www/foo to ~/foo is an example of something that you might expect to work, but would be blocked by SELinux.

But those are not the kind of things you would do on Android anyway. They use SELinux to strengthen the security framework they already have in place. SELinux is just the last line of defence for implementation bugs and things they might have missed. It would be completely unintrusive.

The NSA presentation is worth watching, they go through various Android exploits that could have been prevented by the policy they developed, without actually targeting those specific exploits.

https://www.nsa.gov/research/selinux/

[1] It’s also because it unfortunately isn’t actually used by most desktop applications, with some exceptions, like Chromium.



i am embarrassed to say this but rather than configure SELinux to do those little things - like local mail delivery or open a new socket for httpd - i tend to just disable it. i'll chalk it up to a usability problem on their part and not laziness to learn it on mine.

i'm familiar with it, i've written some policies in it, i remember when it was introduced. that said ... i don't use it.


Instead of disabling it, consider putting it into permissive mode. It logs violations but doesn't enforce any rules. It's a good way to get a feel for what it's doing. You can tweak the rules, view the logs, tweak some more, and work up to a tight policy before enabling.

Also, if you disable it, re-enabling requires that you relabel all of your files and reboot the system; the relabel process can take an impressive amount of time.

Switching between eforcing and permissive can be done on the fly with the setenforce command, no reboot required.

I do think that laziness is a virtue in a sysadmin when properly applied, but using selinux is in your best interest.


Laziness might be justified sometimes, but you may as well call it what it is.


You shouldn't feel embarrassed, SELinux is so fine-grained that a proper configuration is very difficult to attain.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: