Announcement

Collapse
No announcement yet.

Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux

    Phoronix: Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux

    Currently on Fedora the Security Enhanced Linux (SELinux) functionality that's there by default can be disabled at run-time via the /etc/selinux/config but moving forward with Fedora 34 they are looking at removing that support and focusing just on disabling via selinux=0 at the kernel boot time in order to provide greater security...

    Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Fedora-34-Drop-SELinux-Runtime
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Before some people freak out:
    Switching SELinux between "permissive" and "enforcing" mode using setenforce(8) (which is often incorrectly called "disabling/enabling SELinux") is not affected and will remain fully functional.
    From the Fedora wiki page linked in the article.
    • Likes 14

    Comment

    • #3
      Yeah, makes sense if the "disabled" functionality has been deprecated and it's easy enough to do. From root:

      grubby --update-kernel=ALL --args=selinux=0

      and you're done.

      Hopefully, they'll do that automatically for people who have SELINUX already disabled, or they'll put the above command in the
      documentation rather than just say boot with selinux=0. Grubby isn't exactly a command everyone runs everyday. They also need
      to clarify the black box warning; it's contradictory. If you want to disable SELinux, selinux=0 IS the recommended method. If you are
      wanting to run SELinux and just testing without it, use permissive mode.
      • Likes 5

      Comment

      • #4
        Only Sissy's disable the whole thing because they're too lazy to properly look into the issue.
        • Likes 6

        Comment

        • #5
          Originally posted by Space Heater View Post
          Before some people freak out:


          From the Fedora wiki page linked in the article.
          That's good to know. I had to recently configure a CentOS box in which the Customer wanted SELinux to be reported as ON but not doing anything meaningful so that it would pass an audit. Permissive was the best solution to that request.

          I would be peeved if Red Hat removed such options to do so in subsequent Fedora, CentOS or RHEL releases.

          Comment

          • #6
            I always disabled SELinux. Useless to me.
            • Likes 1

            Comment

            • #7
              Only Sissy's disable the whole thing because they're too lazy to properly look into the issue.
              I agree, it is a great way of indicating an application is doing something unexpected/undesired, or something expected in a potentially unsafe way. Turning it off may be easy, but its not the right way.

              I used to turn it off up until about 3 or 4 years ago.
              • Likes 3

              Comment

              • #8
                100s of man hours have been waste because people don't know about selinux or don't think of it as a probably cause of the a problem ...
                • Likes 1

                Comment

                • #9
                  Who doesn't want the NSA enhanced security?!

                  Comment

                  • #10
                    I’d rather not disable, but instead set to permissive. That way nothing is blocked but policy violations are logged, giving you a paper trail if you ever need it.
                    On long running systems with fairly static, well defined, workloads it is some times worth the effort to go through the logs add any missing rules and set it back to enforce.
                    However when in enforce and something is not working, it is such a useful debug step to be able to quickly switch to permissive and test again. I’d rather not have to reboot. What about switching to permissive for the lifetime of the root interactive login shell, or with a timeout?
                    • Likes 3

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X