Announcement

Collapse
No announcement yet.

Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #21
    Originally posted by hauberg View Post
    SELinux is one of those things where more work is needed to reduce the amount of paper cuts here and there. For instance, in Fedora you cannot use the default Gnome gui for setting up OpenVPN using certificates. SELinux will block but you never get any message about this (unless you know where to look), the VPN connection just fails. It's great that SELinux is being pushed harder, but it sure would be nice if an effort was made to reduce end-user facing paper cuts.
    SELinux works well in very static situations. Works well for Android. The problem with it on something like Fedora is that everybody configures it to their own needs.

    Comment

    • #22
      Originally posted by droidhacker View Post

      SELinux works well in very static situations. Works well for Android. The problem with it on something like Fedora is that everybody configures it to their own needs.
      I agree that SELinux + editing of random config files is a time consuming combination. However, configuring the system using the default GUI should not bring any sort of conflict with SELinux. Since stuff like that happens somewhat regularly, SELinux quickly get a poor reputation with non-sysadmin users.
      • Likes 1

      Comment

      • #23
        Originally posted by hauberg View Post

        I agree that SELinux + editing of random config files is a time consuming combination. However, configuring the system using the default GUI should not bring any sort of conflict with SELinux. Since stuff like that happens somewhat regularly, SELinux quickly get a poor reputation with non-sysadmin users.
        Think more SELinux telling you that application does a task it is not supposed to do and it is the job of that developer to fix. Remember that Portal game years ago.

        Comment

        • #24
          Originally posted by torbido View Post
          Who doesn't want the NSA enhanced security?!
          clueless uneducated people?

          Comment

          • #25
            Originally posted by Space Heater View Post
            Before some people freak out:


            From the Fedora wiki page linked in the article.
            Glad you pointed this out, I was just about to invite people to switch over to Ubuntu.

            Comment

            • #26
              Originally posted by hauberg View Post
              SELinux is one of those things where more work is needed to reduce the amount of paper cuts here and there. For instance, in Fedora you cannot use the default Gnome gui for setting up OpenVPN using certificates. SELinux will block but you never get any message about this (unless you know where to look), the VPN connection just fails. It's great that SELinux is being pushed harder, but it sure would be nice if an effort was made to reduce end-user facing paper cuts.
              Yeah. I think I ran into that OpenVPN thing a while ago. If I remember correctly, there's a directory you're supposed to use for the certificates or secrets. But nothing in the GUI limits you or hints about it. I remember that you certainly can't use $HOME/Downloads

              Fedora should probably patch that GUI to only allow choosing files from that one secured directory.

              Comment

              • #27
                Originally posted by Zan Lynx View Post

                Yeah. I think I ran into that OpenVPN thing a while ago. If I remember correctly, there's a directory you're supposed to use for the certificates or secrets. But nothing in the GUI limits you or hints about it. I remember that you certainly can't use $HOME/Downloads

                Fedora should probably patch that GUI to only allow choosing files from that one secured directory.
                Yes indeed, certificates have to be in one specific folder (it's secret which one, though) and the GUI doesn't help; VPN just doesn't work if you get it wrong. Unfortunately, that type of paper cuts appear too frequently with SELinux. It's probably a good thing that arbitrary applications fail if they don't do things the right way, but system defaults really should perform better.
                • Likes 1

                Comment

                • #28
                  I find "permissive" to be useful when used in combination with audit2why or audit2allow. Without it I find that sometimes I'll see the offending error with ausearch, then use audit2allow for example to create a new policy to fix it... Then the application is still broken. What gives? Run ausearch again and ah... I got past that error but now there's a NEW error. By putting it in permissive first, now ausearch will show multiple errors. You can pipe all of those into audit2allow to generate one policy that addresses all those errors in one policy and avoid that game of whack-a-mole. Just gotta make sure you flip it back into "enforcing" when you're done.

                  Comment

                  • #29
                    SELinux also saved me a few times from some spotty binaries I thought I knew the origin.

                    Most of the issues I had with it were mislabeled files. Just ran "touch /.autorelabel," rebooted and it stopped bothering me (usually happens after in-place upgrades).

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X