Real application of selinux [closed]
Clash Royale CLAN TAG#URR8PPP
Almost all tutorial and most systems i have seen seem to disable selinux. Are there actual implementation of selinux security in real world ?
selinux
asked Feb 2 at 13:21
AtulAtul
3582519
closed as too broad by Jeff Schaller, Michael Homer, jimmij, Thomas, Romeo Ninov Feb 3 at 10:39
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Almost all tutorial and most systems i have seen seem to disable selinux. Are there actual implementation of selinux security in real world ?
selinux
asked Feb 2 at 13:21
AtulAtul
3582519
closed as too broad by Jeff Schaller, Michael Homer, jimmij, Thomas, Romeo Ninov Feb 3 at 10:39
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
1
yes, android is making heavy use of selinux. And please no "no true Scotsman"; android is a real linux system, and a multi-billion install base should be "real world" enough for anybody.
– mosvy
Feb 2 at 16:42
2
The tutorial authors must be naive or lazy. Yes, of course: SELinux was developed by the NSA for real reasons, and those reasons still exist. Thus, SELinux is absolutely in use in the real world solving real-world problems. Do not disable SELinux; learn to use it instead! :)
– Christopher
Feb 2 at 21:15
1
There are tons of real world examples of selinux, your question shows little to no effort on your part. The tutorials advising ti disable selinux are poorly written, lead to use and debug selinux
– Panther
Feb 3 at 3:11
add a comment |
Almost all tutorial and most systems i have seen seem to disable selinux. Are there actual implementation of selinux security in real world ?
selinux
asked Feb 2 at 13:21
AtulAtul
3582519
Almost all tutorial and most systems i have seen seem to disable selinux. Are there actual implementation of selinux security in real world ?
selinux
selinux
asked Feb 2 at 13:21
AtulAtul
3582519
asked Feb 2 at 13:21
AtulAtul
3582519
asked Feb 2 at 13:21
AtulAtul
3582519
asked Feb 2 at 13:21
AtulAtul
3582519
asked Feb 2 at 13:21
AtulAtul
3582519
3582519
closed as too broad by Jeff Schaller, Michael Homer, jimmij, Thomas, Romeo Ninov Feb 3 at 10:39
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as too broad by Jeff Schaller, Michael Homer, jimmij, Thomas, Romeo Ninov Feb 3 at 10:39
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
1
yes, android is making heavy use of selinux. And please no "no true Scotsman"; android is a real linux system, and a multi-billion install base should be "real world" enough for anybody.
– mosvy
Feb 2 at 16:42
2
The tutorial authors must be naive or lazy. Yes, of course: SELinux was developed by the NSA for real reasons, and those reasons still exist. Thus, SELinux is absolutely in use in the real world solving real-world problems. Do not disable SELinux; learn to use it instead! :)
– Christopher
Feb 2 at 21:15
1
There are tons of real world examples of selinux, your question shows little to no effort on your part. The tutorials advising ti disable selinux are poorly written, lead to use and debug selinux
– Panther
Feb 3 at 3:11
add a comment |
1
yes, android is making heavy use of selinux. And please no "no true Scotsman"; android is a real linux system, and a multi-billion install base should be "real world" enough for anybody.
– mosvy
Feb 2 at 16:42
2
The tutorial authors must be naive or lazy. Yes, of course: SELinux was developed by the NSA for real reasons, and those reasons still exist. Thus, SELinux is absolutely in use in the real world solving real-world problems. Do not disable SELinux; learn to use it instead! :)
– Christopher
Feb 2 at 21:15
1
There are tons of real world examples of selinux, your question shows little to no effort on your part. The tutorials advising ti disable selinux are poorly written, lead to use and debug selinux
– Panther
Feb 3 at 3:11
1
1
yes, android is making heavy use of selinux. And please no "no true Scotsman"; android is a real linux system, and a multi-billion install base should be "real world" enough for anybody.
– mosvy
Feb 2 at 16:42
yes, android is making heavy use of selinux. And please no "no true Scotsman"; android is a real linux system, and a multi-billion install base should be "real world" enough for anybody.
– mosvy
Feb 2 at 16:42
2
2
The tutorial authors must be naive or lazy. Yes, of course: SELinux was developed by the NSA for real reasons, and those reasons still exist. Thus, SELinux is absolutely in use in the real world solving real-world problems. Do not disable SELinux; learn to use it instead! :)
– Christopher
Feb 2 at 21:15
The tutorial authors must be naive or lazy. Yes, of course: SELinux was developed by the NSA for real reasons, and those reasons still exist. Thus, SELinux is absolutely in use in the real world solving real-world problems. Do not disable SELinux; learn to use it instead! :)
– Christopher
Feb 2 at 21:15
1
1
There are tons of real world examples of selinux, your question shows little to no effort on your part. The tutorials advising ti disable selinux are poorly written, lead to use and debug selinux
– Panther
Feb 3 at 3:11
There are tons of real world examples of selinux, your question shows little to no effort on your part. The tutorials advising ti disable selinux are poorly written, lead to use and debug selinux
– Panther
Feb 3 at 3:11
add a comment |
2 Answers
2
active
oldest
votes
SELinux is a form of mandatory access control, where a set of labels are used to control what processes can or cannot do. The default access control method on Linux involving ugo permissions is discretionary - it leaves it to the user's discretion to actually figure out what permissions should go where. A 'problem' with using SELinux's mandatory access control is that applications can sometimes refuse to work as you want them to, for apparently mysterious reasons.
Let's take the rsyslog daemon as an example. The directory and files under /var/log have the correct SELinux labels to work with rsyslog. However, if you try to define a log file elsewhere on the system, such as /opt, rsyslog will not be able to write to it because of the wrong SELinux contexts on that file. Because the access control is mandatory, this will happen even if you are setting 777 permissions on the new log file. In this specific case, the SELinux contexts may be set on the new log file using chcon. But wait, those contexts would be lost on the next relabelling of the filesystem. So what you really need is semanage fcontext.
As I've tried to illustrate with the above example, SELinux has a strong learning curve. Even after you understand the basics of how it works, you still have to work with a large number of commands (semanage, sestatus, sealert, chcon, restorecon, audit2allow) to achieve the intended result. Even then, the documentation can sometimes leave you confused about where you're going wrong.
Given the challenges with actually using SELinux, most people just find disabling it to be a more convenient option. In fact, the highest voted question under the SELinux tag here on U&L is about disabling SELinux.
One more thing to note is that distributions related to Red Hat ship with SELinux enabled (Fedora, RHEL and its derivatives). The SELinux policies that ship with these systems have gotten good enough that a lot of people would not typically notice SELinux running on their system.
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
add a comment |
Yes; Red Hat Enterprise Linux enables it by default, for one:
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
2
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
SELinux is a form of mandatory access control, where a set of labels are used to control what processes can or cannot do. The default access control method on Linux involving ugo permissions is discretionary - it leaves it to the user's discretion to actually figure out what permissions should go where. A 'problem' with using SELinux's mandatory access control is that applications can sometimes refuse to work as you want them to, for apparently mysterious reasons.
Let's take the rsyslog daemon as an example. The directory and files under /var/log have the correct SELinux labels to work with rsyslog. However, if you try to define a log file elsewhere on the system, such as /opt, rsyslog will not be able to write to it because of the wrong SELinux contexts on that file. Because the access control is mandatory, this will happen even if you are setting 777 permissions on the new log file. In this specific case, the SELinux contexts may be set on the new log file using chcon. But wait, those contexts would be lost on the next relabelling of the filesystem. So what you really need is semanage fcontext.
As I've tried to illustrate with the above example, SELinux has a strong learning curve. Even after you understand the basics of how it works, you still have to work with a large number of commands (semanage, sestatus, sealert, chcon, restorecon, audit2allow) to achieve the intended result. Even then, the documentation can sometimes leave you confused about where you're going wrong.
Given the challenges with actually using SELinux, most people just find disabling it to be a more convenient option. In fact, the highest voted question under the SELinux tag here on U&L is about disabling SELinux.
One more thing to note is that distributions related to Red Hat ship with SELinux enabled (Fedora, RHEL and its derivatives). The SELinux policies that ship with these systems have gotten good enough that a lot of people would not typically notice SELinux running on their system.
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
add a comment |
SELinux is a form of mandatory access control, where a set of labels are used to control what processes can or cannot do. The default access control method on Linux involving ugo permissions is discretionary - it leaves it to the user's discretion to actually figure out what permissions should go where. A 'problem' with using SELinux's mandatory access control is that applications can sometimes refuse to work as you want them to, for apparently mysterious reasons.
Let's take the rsyslog daemon as an example. The directory and files under /var/log have the correct SELinux labels to work with rsyslog. However, if you try to define a log file elsewhere on the system, such as /opt, rsyslog will not be able to write to it because of the wrong SELinux contexts on that file. Because the access control is mandatory, this will happen even if you are setting 777 permissions on the new log file. In this specific case, the SELinux contexts may be set on the new log file using chcon. But wait, those contexts would be lost on the next relabelling of the filesystem. So what you really need is semanage fcontext.
As I've tried to illustrate with the above example, SELinux has a strong learning curve. Even after you understand the basics of how it works, you still have to work with a large number of commands (semanage, sestatus, sealert, chcon, restorecon, audit2allow) to achieve the intended result. Even then, the documentation can sometimes leave you confused about where you're going wrong.
Given the challenges with actually using SELinux, most people just find disabling it to be a more convenient option. In fact, the highest voted question under the SELinux tag here on U&L is about disabling SELinux.
One more thing to note is that distributions related to Red Hat ship with SELinux enabled (Fedora, RHEL and its derivatives). The SELinux policies that ship with these systems have gotten good enough that a lot of people would not typically notice SELinux running on their system.
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
add a comment |
SELinux is a form of mandatory access control, where a set of labels are used to control what processes can or cannot do. The default access control method on Linux involving ugo permissions is discretionary - it leaves it to the user's discretion to actually figure out what permissions should go where. A 'problem' with using SELinux's mandatory access control is that applications can sometimes refuse to work as you want them to, for apparently mysterious reasons.
Let's take the rsyslog daemon as an example. The directory and files under /var/log have the correct SELinux labels to work with rsyslog. However, if you try to define a log file elsewhere on the system, such as /opt, rsyslog will not be able to write to it because of the wrong SELinux contexts on that file. Because the access control is mandatory, this will happen even if you are setting 777 permissions on the new log file. In this specific case, the SELinux contexts may be set on the new log file using chcon. But wait, those contexts would be lost on the next relabelling of the filesystem. So what you really need is semanage fcontext.
As I've tried to illustrate with the above example, SELinux has a strong learning curve. Even after you understand the basics of how it works, you still have to work with a large number of commands (semanage, sestatus, sealert, chcon, restorecon, audit2allow) to achieve the intended result. Even then, the documentation can sometimes leave you confused about where you're going wrong.
Given the challenges with actually using SELinux, most people just find disabling it to be a more convenient option. In fact, the highest voted question under the SELinux tag here on U&L is about disabling SELinux.
One more thing to note is that distributions related to Red Hat ship with SELinux enabled (Fedora, RHEL and its derivatives). The SELinux policies that ship with these systems have gotten good enough that a lot of people would not typically notice SELinux running on their system.
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
SELinux is a form of mandatory access control, where a set of labels are used to control what processes can or cannot do. The default access control method on Linux involving ugo permissions is discretionary - it leaves it to the user's discretion to actually figure out what permissions should go where. A 'problem' with using SELinux's mandatory access control is that applications can sometimes refuse to work as you want them to, for apparently mysterious reasons.
Let's take the rsyslog daemon as an example. The directory and files under /var/log have the correct SELinux labels to work with rsyslog. However, if you try to define a log file elsewhere on the system, such as /opt, rsyslog will not be able to write to it because of the wrong SELinux contexts on that file. Because the access control is mandatory, this will happen even if you are setting 777 permissions on the new log file. In this specific case, the SELinux contexts may be set on the new log file using chcon. But wait, those contexts would be lost on the next relabelling of the filesystem. So what you really need is semanage fcontext.
As I've tried to illustrate with the above example, SELinux has a strong learning curve. Even after you understand the basics of how it works, you still have to work with a large number of commands (semanage, sestatus, sealert, chcon, restorecon, audit2allow) to achieve the intended result. Even then, the documentation can sometimes leave you confused about where you're going wrong.
Given the challenges with actually using SELinux, most people just find disabling it to be a more convenient option. In fact, the highest voted question under the SELinux tag here on U&L is about disabling SELinux.
One more thing to note is that distributions related to Red Hat ship with SELinux enabled (Fedora, RHEL and its derivatives). The SELinux policies that ship with these systems have gotten good enough that a lot of people would not typically notice SELinux running on their system.
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
answered Feb 2 at 14:06
HaxielHaxiel
2,9151917
2,9151917
add a comment |
add a comment |
Yes; Red Hat Enterprise Linux enables it by default, for one:
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
2
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
add a comment |
Yes; Red Hat Enterprise Linux enables it by default, for one:
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
2
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
add a comment |
Yes; Red Hat Enterprise Linux enables it by default, for one:
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
Yes; Red Hat Enterprise Linux enables it by default, for one:
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
answered Feb 2 at 13:28
Jeff SchallerJeff Schaller
42.1k1156133
42.1k1156133
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
2
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
add a comment |
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
2
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
I understand its enabled by default, my question is do we actually use it ?
– Atul
Feb 2 at 13:29
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
Most of time, i see it's being disabled. It may be a bad practice or is it really that hard to use the system with selinux in real world
– Atul
Feb 2 at 13:30
2
2
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
Obiligatory stopdisablingselinux.com
– Jeff Schaller
Feb 2 at 13:41
add a comment |
1
yes, android is making heavy use of selinux. And please no "no true Scotsman"; android is a real linux system, and a multi-billion install base should be "real world" enough for anybody.
– mosvy
Feb 2 at 16:42
2
The tutorial authors must be naive or lazy. Yes, of course: SELinux was developed by the NSA for real reasons, and those reasons still exist. Thus, SELinux is absolutely in use in the real world solving real-world problems. Do not disable SELinux; learn to use it instead! :)
– Christopher
Feb 2 at 21:15
1
There are tons of real world examples of selinux, your question shows little to no effort on your part. The tutorials advising ti disable selinux are poorly written, lead to use and debug selinux
– Panther
Feb 3 at 3:11