Hacker News new | ask | show | jobs
by AaronFriel 1571 days ago
That's not my assertion, my assertion is that SELinux doesn't work for a lot of people even if it works for you or I; and that's why you see the advice to disable it in forum posts.

To be clear: SELinux is an important mitigation - just like the Windows Firewall - and one should not disable either.
1 comments
frabbit 1571 days ago
I disagree. The advice to disable SELinux, like your assertion that it's too complicated for ordinary users, belongs to an older time. It's time to lay that myth to bed.

Sure, if you're messing around with k8s and doing fun eBPF stuff you are going to need to be careful. But for just installing an OS, running it to do some web-browsing, gaming, image editing, wordprocessing? I would be highly surprised if the defaults do not work.

link
AaronFriel 1571 days ago
> The advice to disable SELinux... time to lay that myth to bed.

I think we agree, and Fedora / Red Hat have done great work setting up great defaults.

But when a user encounters an issue with SELinux, the lack of feedback mechanisms to help them onto a better path results in them finding that advice.

link
MonaroVXR 1571 days ago
Fedora literally gives you a notification and you can take action

(Me a as novice Linux user)

link
AaronFriel 1571 days ago
That's fantastic for Fedora desktop users. I don't expect you'd know, but is there a way to get the same quality of information via a CLI command?
link
Too 1571 days ago
grep denied /var/log/audit/*

On some systems the avc violations also get printed in dmesg.

If violations block your whole system from even running, you can enable permissive mode, this only logs violations without enforcing them.

As others already mentioned, turning violation logs into allow rules can be done with audit2allow. Wouldn’t recommend blindly using that though as the generated rules are always either too narrow or too wide, just use it as a guideline.

link
yrro 1571 days ago
FYI, "ausearch -i -ts recent -m avc" gives you SELinux violations from the last 10 minutes in slightly more readable form.
link
MonaroVXR 1570 days ago
I think there is, I's been a long time since I had issues with SELinux. To be honest I have no idea how the GUI works. I do everything with CLI.

From the top of my head, I don't know. But this might help:

https://wiki.archlinux.org/title/SELinux

link