Hacker News new | ask | show | jobs
by AaronFriel 1571 days ago
I strongly believe that software that works for users is better than software that doesn't, and it's clear that for most lay folks, SELinux is software that doesn't work.

SELinux remains inscrutable and unusuable to the lay person. Microsoft had the same problem with Windows XP and especially after its service pack 2 when the Windows Firewall was introduced, that it was difficult to debug and applications didn't prompt to open ports or have an API to do so. So many a lay person posted on forums "disable firewall".

Users don't care why their tools don't work, they don't understand why or how to fix it. Technically complex SELinux audit tutorials are not helpful. There needs to be real, genuine attention to user experience an almost tutorial like CLI command. Something so simple anyone could safely make a program run. Whether that program is safe itself is another question, and users should be told that too.
2 comments
frabbit 1571 days ago
> it's clear that for most lay folks, SELinux is software that doesn't work.

I have always used selinux enabled systems. For the first few years it was a bit confusing and frustrating at times, but for the last (decade?) I have never had to butt heads with it. The default policies shipped by e.g. Fedora (a userland closest to the development of this work and therefore probably better maintained than some others) work out of the box without hassle.

This very article refutes your assertion: here we see SELinux working for ordinary users without any additional fiddling. You, on the other hand, are probably exposed to this privilege escalation.

link
AaronFriel 1571 days ago
That's not my assertion, my assertion is that SELinux doesn't work for a lot of people even if it works for you or I; and that's why you see the advice to disable it in forum posts.

To be clear: SELinux is an important mitigation - just like the Windows Firewall - and one should not disable either.

link
frabbit 1571 days ago
I disagree. The advice to disable SELinux, like your assertion that it's too complicated for ordinary users, belongs to an older time. It's time to lay that myth to bed.

Sure, if you're messing around with k8s and doing fun eBPF stuff you are going to need to be careful. But for just installing an OS, running it to do some web-browsing, gaming, image editing, wordprocessing? I would be highly surprised if the defaults do not work.

link
AaronFriel 1571 days ago
> The advice to disable SELinux... time to lay that myth to bed.

I think we agree, and Fedora / Red Hat have done great work setting up great defaults.

But when a user encounters an issue with SELinux, the lack of feedback mechanisms to help them onto a better path results in them finding that advice.

link
MonaroVXR 1571 days ago
Fedora literally gives you a notification and you can take action

(Me a as novice Linux user)

link
AaronFriel 1571 days ago
That's fantastic for Fedora desktop users. I don't expect you'd know, but is there a way to get the same quality of information via a CLI command?
link
pjmlp 1571 days ago
One of the best things on Android is having SELinux and seccomp enabled.
link