Announcement

Collapse
No announcement yet.

SELinux In Linux 6.6 Removes References To Its Origins At The US NSA

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    I didn't use SELinux specifically but way way back in the day I wrote my own LSM (Linux Security Module) for grad school that used the same OS hooks as SE Linux for Domain & Type Enforcement in grad school. It was fun showing root failing to delete the /bin directory in a live demo.

    Comment


    • #22
      Originally posted by sarmad View Post
      It's a bad technology anyway. They may as well just drop it altogether rather than only dropping the NSA reference. It's bad because it's over complicated, and when something is over complicated it leaves room for mistakes that result in security holes. I remember needing to turn it off whenever I needed to test my web server back in the days when I was using Fedora before getting fed up with SELinux and jumping distros.
      Yikes, it's really not that complicated to use. Your web server is likely more complicated than SELinux to configure and use. SELinux has one log file for you to tail. It has a bunch of global booleans you can set. And lastly you can allow or deny specific behaviors. If you are disabling SELinux to "make something work", you are very much doing it wrong. There is so much documentation available online nowadays too, there really is no excuse for turning off SELinux to "make something work".

      Comment


      • #23
        Originally posted by sarmad View Post
        It's a bad technology anyway. They may as well just drop it altogether rather than only dropping the NSA reference. It's bad because it's over complicated, and when something is over complicated it leaves room for mistakes that result in security holes. I remember needing to turn it off whenever I needed to test my web server back in the days when I was using Fedora before getting fed up with SELinux and jumping distros.
        Reaching out to shake hands
        While i just posted a way longer version of my selinux story, yours sums up my early-on experience with it (distro hopping included) quite well.

        Comment


        • #24
          Originally posted by billyswong View Post

          There is also Zoom, with Chinese capital and Chinese boss behind. And it is harder to avoid as use of Tiktok is entirely voluntary while Zoom less so.
          I know. It sucks. It really doesn't help that I don't trust Google, Facebook, Twitter, and other American companies to not gather up my information and sell it to anyone who wants to buy it. I feel like I'm stuck between a rock and a hard place these days.

          Heck, I even think my own countrymen are more nefarious than the Chinese. The Chinese Communists are at least trying to make their ideal version of a society whereas the American Capitalists are selling out their own people for profit and using those profits to lobby and rig the system for themselves. That's why, per capita, The Land of the Free has more prisoners than the Communist boogeyman.

          Is there another option for a world power? It sure as hell isn't Russia or England.

          Comment


          • #25
            Originally posted by markg85 View Post
            Selinux. the single most annoying linux component ever build. Which is imho still true to this very day.

            ...

            I'm sure it has a special place for some people. To those: have fun with it. I've been bitten by it yet again and will very happily disable it again on new installs.

            There's always the people here too who are like security addicted and enable every feature that adds more security. Fine by me, you do you, i do me. Don't try to convince me to run that garbage.
            So I'm one of those people. I can totally understand that SELinux is a pain in the ass for your desktops or if you just have a few servers, but I've got 2000+ server VMs worth millions of dollars in front of tens of thousands of users who might be schlepping malware in and out of the environment on their phones and laptops. I hate working with SELinux, but I love that weird binaries trying to do novel things on systems are gonna get blocked and leave logs for me to look at. I sleep easier knowing that SELinux is requiring a SYSADMIN to approve novel activity.

            By all means, shut it off or switch it to permissive mode on your systems, but it's a powerful tool for those of us trying to keep malicious activity from happening in large production environments.

            Comment


            • #26
              Why should this be rejected? I have never heard anyone refer to it as NSASELinux. Just SELinux. And I’d be worried about the stuff that is not branded honestly.

              Comment


              • #27
                Originally posted by markg85 View Post
                Noting, absolutely nothing at all, was even remotely hinting at selinux at this point
                Except /var/log/audit/audit.log which I presume you never checked.

                Originally posted by markg85 View Post
                I wasn't expecting to be bitten that hard by selinux again, but yeah, i was. It's a monstrous dumb bullshit piece of tech that should be thoroughly killed from linux in my opinion. And yes, that's only because it's so freaking stealthy in the background where you don't even know that it is causing your troubles. It would've been much better if it somehow were communicated better. But then again, a distribution like Arch - that thrives these days - doesn't use selinux at all. So if they don't need it why would i even bother using it? The tech is pointless in my view.
                Works perfectly everywhere I use it. Maybe you could have started with some basic manuals.

                Comment


                • #28
                  Originally posted by Paradigm Shifter View Post
                  But hey, as others have said in threads here you shouldn't worry unless you have something to hide, right?

                  Never mind that many laws are written in such a way that you're wrong no matter what do you, if the authority decides they want to prosecute/persecute you.
                  Yup and I still stand by that.
                  Don't break the law and you've got nothing to worry about. Seriously, it's not that hard to have a great life and be a good citizen at the same time. That's what gets me to question people like you: the only reason you care is because you're probably doing something morally objectionable.

                  Comment


                  • #29
                    Originally posted by avis View Post

                    Except /var/log/audit/audit.log which I presume you never checked.



                    Works perfectly everywhere I use it. Maybe you could have started with some basic manuals.
                    So how do someone not aware of the existence of SELinux suddenly know to look at that particular log file locating in that obscure place? Please enlighten everyone here. If you want to defend SELinux, you may suggest some killer feature that other modules such as AppArmor can't. But when someone said "I didn't know my problem is due to SELinux thus lost a day of time", response such as "you should have gone take a look at a log file that only SELinux users will watch out for" is NOT an answer.

                    Comment


                    • #30
                      Man the number of mental 12-year-olds in this thread positing the usual "USA EVIL" take and people complaining about SELinux just doing it's job.

                      Seriously people; Grow up already. I know you're all in your 20s, 30s and 40s. Not 12.
                      "Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."

                      Comment

                      Working...
                      X