Re: selinux is a pain

Martín Marqués <martin.marques@xxxxxxxxx> wrote:

I reinstalled (better hardware) a server and had selinux enabled (was
disabled before), and I starting to see why so many people don't use
selinux.

My question is, how many people are using selinux?

SELinux is a mighty thing, but it's way too complex. It's missing
proper tools to manage it, and it's also not very well documented.
I used SELinux for years, but even for their own distribution,
the Fedora people never managed to maintain a SELinux policy that
just works with their own services.

Yes, all problems got fixed with updates of the SELinux policy packages
sooner or later, but until these updates were released, for every problem
I spend a lot of time to find workarounds so that I can use my computer
again (thanks to Red Hat's Bugzilla and all the other Fedora users with
the same problems).

SELinux on Fedora works okay if you use your computer as an end-user
workstation with the minimum of local services. But on such a system,
SELinux doesn't have much to do.

As soon as you enable services shipped with Fedora or even try to
install your own ones, you'll get into trouble eventually.

Yes, there are tools to scan SELinux log files and create exceptions,
but I ended up with hundreds of exceptions. And to be honest, I don't
understand what they do exactly. I cannot trust SELinux any longer.
That doesn't give me any additional security.

SELinux has wasted too much time of my life over the years,
so I decided to no longer use it. I keep my computers up to date
and configure them properly. If that isn't enough, bad luck.

SELinux is a nice concept, but for me it has failed because it's
not really usable.

Greetings, Andreas

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Re: SELinux last straw
    ... timely updates because they have a history of introducing new problems. ... I'm speaking of fedora updates in general - and over a reasonable period ... certainly see a lot of complaints about SELinux updates breaking things. ... EULA that says they must upgrade every cycle? ...
    (Fedora)
  • Re: New install, need good policy and advice
    ... redhat stopped with kernel headers and the driver would not build. ... this time with Fedora 12 by using kmod-nvidia and yum but it took me all ... disk that was there before so it would not conflict with the new install ... I now have selinux on the system ...
    (alt.os.linux)
  • Re: Blank Display
    ... Fedora 9 has reached EOL and thus there are no ... In the terminal logged in as root, ... and so you can get updates. ... It could have something to do with SElinux. ...
    (Fedora)
  • Re: SELinux last straw
    ... updates is one matter, and SELinux history is another. ... Fedora may not have written the code that broke things, but they didn't have to ship it. ... EULA that says they must upgrade every cycle? ...
    (Fedora)
  • Re: Request Regarding the "Remove SELinux" Thread
    ... politely explain SELinux to you, both how and why, for several days. ... Or not using Fedora. ... special 'Mike' DVD to install without SELinux. ... Those that hail back to the Bob Young days, ...
    (Fedora)