[EvanAnderson]

There's nothing magical about the Linux security architecture, when it comes to malware, aside from abysmal Linux market share. If it were popular it would be targeted.

That's not to say there's no value. It's a case of security by obscurity, at best. The Unix security model is much more simplistic than Windows NT. Everybody disables SELinux so there's no meaningful capabilities functionality.

Assuming you actually do run malware, all your user account's data on a Linux machine ends up being just as vulnerable to exfil or ransom as if you're running Windows as a limited user.

[gerdesj]

"Everybody disables SELinux"

That implies you are probably using a RH jobbie. With no working whatsover, I assert that many more Linux desktops will be rocking apparmor or no kernel security module.

Oh and no I don't disable SELinux, except as a quick check to see if that is what is causing issues. Obviously I'm not everyone, but I am someone.

[EvanAnderson]

I haven't used desktop Linux in a number of years, but back when I did I'd see disabling SELinux was a common recommendation. I hope things are getting better.

On the Linux application hosting front the majority of vendor-supported garbage I have the displeasure of supporting that runs outside of Docker disables SELinux as a matter of course.

[gerdesj]

I haven't daily driven anything but Linux for 15 years or more. I remember when Xorg was the new kid and XFree86 could destroy your CRT (or so "they" said - I never managed it!) Mind you I also remember #make config taking about 20 minutes.

Advice advocating disabling selinux is very similar to SFC /SCANNOW or "turn off your anti virus". As soon as you see advice like that you do have to wonder at the motive.

A quick broad-brush approach to troubleshooting is fine and could be considered the first stage before a binary search is used to get to the real problem. So you make things safe first and then you switch off something like selinux. Does that work? If yes, then you switch it back on and then do your search within selinux and perhaps bother with reading logs.

You obviously have to support a lot of cough enterprise ... RH based stuff or perhaps Oracle's sufferings.

If you can, call someone's bluff: Insist on a standard. PCI DSS is involved as soon as a payment card is involved - that will soon sort things out. In the UK, we have Cyber Essentials and the plus form. Non UK Europe also has similar standards. The US will have Freedom versions of any standards and the rest of the world will have theirs.

Go in with standards if you can. As soon as you permanently switch off a security mechanism you have failed (yourself and your customer).

Good luck mate.

[codedokode]

On Linux one typically runs third-party (not coming from official repositories) software in a sandbox which is a great pain (good luck sandboxing an Electron app) but at least possible. Unless you own exploits to bypass kernel restrictions you cannot do much.