undefined | Better HN

0 pointsmhitza1y ago0 comments

SELinux has been enabled on Fedora for as long as I remember.

SELinux is complex, badly documented, policy code is obscure macro incantation, and basic debugging tools often aren't installed out of the box on server distros (such as audit2allow). But for the day to day administration of systems, policies are included for distribution packages and most issues can be fixed by enabling a boolean here and there, and relabeling files.

The principles, basic admin & debugging part can be learned in a couple of hours, and when you have custom service software, you can throw it in /opt and have it run unconfined (ie: not subject to SELinux rules).

0 comments

jerf1y ago

"The principles, basic admin & debugging part can be learned in a couple of hours,"

In principle, yes. In reality I've gone looking for a resource that I could do this with and come up short.

(I am starting to get really annoyed at things where I can find a million "paste this bit to do that thing" and there are so darned many of those on the internet that any hope of finding a good resource that gets to the underlying structure such that I can figure out how to do these things myself is virtually nil. It seems like this is getting worse as the search engines continue their trend of taking your query as a vague suggestion of the sort of thing you're looking for.)

mhitzaOP1y ago

Maybe I'll write that guide, and then (fingers crossed) people will find it via search engines (before all search engines become just an LLM frontend).

jerf1y ago

Well, if you do, my email is in my profile and I'll be happy to be an advance proofreader if you're interested. I've got a couple of teens in a very similar position as well, so I can even provide multiple people's point of view. I have pretty much the exact right amount of experience for that; I've been in there, I've done things, even completed a couple of non-trivial projects (nothing amazing, but, more than just "a pad with a pocket in it"), I recognize I'm confused, I don't know where to proceed from there.

1 more reply

KAMSPioneer1y ago

I mentioned elsewhere in the thread, I (well, my employer) picked up a copy of a book on SELinux System Administration (that's the title) and it has served just this function for me.

It won't make you an expert but it takes the voodoo out of the whole process, if that makes sense. And it is reasonably short if you skip the stuff that you're (probably) never going to configure like passing labelled traffic between hosts with IPSEC.

XorNot1y ago

It's baffling to me that SELinux's UI is like...the best we can apparently do?

The underlying concepts of SELinux aren't so hard but trying to manage it in any sort of coherent way is a nightmare - up to and including the provisions in it for a network based policy server component which just never appeared.

And it sucks! In theory it does so many things we really really want, and should do more. Like I as a user have a great interest in ensuring my home directory files follow sensible markings based on their content - my SSH keys, AWS keys, or banking files all exist in different logical zones of control.

And this is a concept SELinux can handle...but the tools are just so bad at surfacing it.

mike_hearn1y ago

It's not. The (undocumented!) SBPL that Apple OS' use is easier to understand and debug than selinux, in my experience.

giancarlostoro1y ago

Reminds me of git itself, you read about its internals it sounds easy. You start trying to figure out how to map commands in a way that makes sense, it baffles you when things break.

TheRealPomax1y ago

Why would the NSA want to make something easy to use for others?

Gud1y ago

Why wouldn't they?

2 more replies

throwaway8943451y ago

I haven’t touched SELinux. How does it compare to Systemd (presently my standard for “ubiquitous despite terrible UX”).

j / k navigate · click thread line to collapse

0 comments

jerf1y ago

"The principles, basic admin & debugging part can be learned in a couple of hours,"

In principle, yes. In reality I've gone looking for a resource that I could do this with and come up short.

mhitzaOP1y ago

Maybe I'll write that guide, and then (fingers crossed) people will find it via search engines (before all search engines become just an LLM frontend).

jerf1y ago

1 more reply

KAMSPioneer1y ago

I mentioned elsewhere in the thread, I (well, my employer) picked up a copy of a book on SELinux System Administration (that's the title) and it has served just this function for me.

XorNot1y ago

It's baffling to me that SELinux's UI is like...the best we can apparently do?

And this is a concept SELinux can handle...but the tools are just so bad at surfacing it.

mike_hearn1y ago

It's not. The (undocumented!) SBPL that Apple OS' use is easier to understand and debug than selinux, in my experience.

giancarlostoro1y ago

Reminds me of git itself, you read about its internals it sounds easy. You start trying to figure out how to map commands in a way that makes sense, it baffles you when things break.

TheRealPomax1y ago

Why would the NSA want to make something easy to use for others?

Gud1y ago

Why wouldn't they?

2 more replies

throwaway8943451y ago

I haven’t touched SELinux. How does it compare to Systemd (presently my standard for “ubiquitous despite terrible UX”).

j / k navigate · click thread line to collapse