Who uses SELinux on their systems and why?

rchurchrchurch OG
edited January 2020 in Technical

In the early days of SELinux, at least 10 years ago, it was so frustrating and admin tools were so inadequate that I always disabled it. I want to get back to it now and wonder if it has any fans here and why they use it?

If there are any users here I have these questions for them:

What distro(s) do you use it with? I believe it is installed and configured automatically on Fedora/Redhat.

Do you use built-in settings, or customize for own use?

What admin tools come with it, what additional tools do you use?

Is it for own personal use, workplace computer or server administration?

Which aspects of your system do you mostly use it for?

Tagged:

Comments

  • Anyone who comments should watch this first.

    Ionswitch.com | High Performance VPS in Seattle and Dallas since 2018

  • WSSWSS OGRetired

    Since we're missing a snarky first post, how about a snarky second post:

    I'm so concerned about Linux security that I only run BSDs on it.

    My pronouns are like/subscribe.

  • rchurch said: What distro(s) do you use it with? I believe it is installed and configured automatically on Fedora/Redhat.

    I use it with Centos/Oracle Enterprise and a Fedora box. It's installed by default and as long as you only use included packages it's about 90%. As soon as you wanna do anything even vaguely non-standard you're still modifying things though.

    rchurch said: Do you use built-in settings, or customize for own use?

    Both but primarily built-in.

    rchurch said: What admin tools come with it, what additional tools do you use?

    I just use the semanage,setroubleshoot cli.

    rchurch said: Is it for own personal use, workplace computer or server administration?

    Why only one?

    rchurch said: Which aspects of your system do you mostly use it for?

    Defense in depth.

    rchurch said: I want to get back to it now and wonder if it has any fans here and why they use it?

    I wouldn't say I'm a fan per se .... but it's useful.

    Thanked by (1)rchurch
  • @skorous said: I wouldn't say I'm a fan per se .... but it's useful.

    This pretty much sums things up. The tooling for working with it could be a lot better, but it's useful. I mean it's easy once you spend 10,000 hours fixing selinux problems.

    I like the idea behind it, but ultimately, I think something like pledge and veil from OpenBSD or eBPF are probably better. Or at least easier to work with.

    Thanked by (1)rchurch
  • havochavoc OGContent Writer

    Nope.

    I clever enough to know when I don't understand something...(and won't without massive time investment)

Sign In or Register to comment.