Announcement

Collapse
No announcement yet.

SELinux Continues Path Of Deprecating Run-Time Disabling

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SELinux Continues Path Of Deprecating Run-Time Disabling

    Phoronix: SELinux Continues Path Of Deprecating Run-Time Disabling

    The Security Enhanced Linux (SELinux) changes for Linux 6.1 but with a documentation update does provide a good reminder for a public service announcement: run-time disabling of SELinux is deprecated and will be removed in the future...

    https://www.phoronix.com/news/SELinux-Runtime-Disabling

  • #2
    What is the performance penalty of SELinux and does any Linux distribution ship with SELinux enabled by default?

    Comment


    • #3
      Originally posted by uid313 View Post
      What is the performance penalty of SELinux and does any Linux distribution ship with SELinux enabled by default?
      the performance penalities are in the order of a couple of percentage points, but YMMV.
      RHEL and Fedora both get shipped with SELinux enabled by default.

      Comment


      • #4
        Originally posted by uid313 View Post
        What is the performance penalty of SELinux and does any Linux distribution ship with SELinux enabled by default?
        About enablement, this is installed and enabled by default on every Fedora version since Fedora Core 3, and every RHEL release since RHEL 4.

        Comment


        • #5
          Originally posted by uid313 View Post
          What is the performance penalty of SELinux and does any Linux distribution ship with SELinux enabled by default?
          Distros which enable SeLinux by default
          • RHEL/CentOS and their derivatives
          • Fedora and its derivatives
          • Android!
          Performance impact is absolutely there but it depends on the workflow. Some tasks are not slowed down at all, some are slowed down. In the long past I disabled SeLinux on my desktop Fedora, for the past six years or so, I've left it on.

          BTW would be nice to compare MAC implementations and their performance impact, Michael

          E.g. Ubuntu with and without AppArmor, Fedora with and without SeLinux.
          Last edited by birdie; 05 October 2022, 07:23 AM.

          Comment


          • #6
            Originally posted by birdie View Post

            BTW would be nice to compare MAC implementations and their performance impact, Michael

            E.g. Ubuntu with and without AppArmor, Fedora with and without SeLinux.
            Such a comparison is apples to oranges and not very useful-- SELinux very likely has a higher impact, but also provides substantially more control. And because you can't easily quantify (numbers) the security difference, you're left with relative performances of two security systems with different goals and different impacts.

            AppArmor AFAIK only applies to running processes and only describes paths that those processes may access. SELinux is an entire system of contexts that controls things like socket access and can be applied to users as well, e.g. to prevent 'su' or 'sudo' from giving you totally unrestricted access.
            Last edited by ll1025; 05 October 2022, 08:17 AM.

            Comment


            • #7
              Originally posted by ll1025 View Post

              Such a comparison is apples to oranges and not very useful.
              It is an apples to oranges comparison somewhat but it is still quite useful. SELinux performance gotten substantially better over the years so even it has a bigger impact because of its wider scope, a good benchmark will provide guidance on how much that delta is and if some aspects are substantially worse than expected, can help developers focus on that.

              Comment


              • #8
                What about setenforce 0? I use that in my workflow to quickly create audit rules.

                Comment


                • #9
                  Yet another reason to abandon SELinux and switch to apparmour.

                  Comment


                  • #10
                    Originally posted by kloczek View Post
                    Yet another reason to abandon SELinux and switch to apparmour.
                    I don't even know AppArmor exists on openSUSE and Ubuntu. I guess it's there protecting things. I don't exactly know if it protects things without a profile, as I've set-up webservers, databases, and game servers all without seeing mention of AppArmor.

                    SELinux is also silent on Fedora Workstation, but it becomes real visible when hosting servers. I don't need to make a rule to turn SELinux on; it's just on, everywhere. I have to make rules most of the time to allow certain functionality with servers.

                    Comment

                    Working...
                    X