Announcement

Collapse
No announcement yet.

SELinux In Linux 6.6 Removes References To Its Origins At The US NSA

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • skeevy420
    replied
    Originally posted by billyswong View Post

    There is also Zoom, with Chinese capital and Chinese boss behind. And it is harder to avoid as use of Tiktok is entirely voluntary while Zoom less so.
    I know. It sucks. It really doesn't help that I don't trust Google, Facebook, Twitter, and other American companies to not gather up my information and sell it to anyone who wants to buy it. I feel like I'm stuck between a rock and a hard place these days.

    Heck, I even think my own countrymen are more nefarious than the Chinese. The Chinese Communists are at least trying to make their ideal version of a society whereas the American Capitalists are selling out their own people for profit and using those profits to lobby and rig the system for themselves. That's why, per capita, The Land of the Free has more prisoners than the Communist boogeyman.

    Is there another option for a world power? It sure as hell isn't Russia or England.

    Leave a comment:


  • markg85
    replied
    Originally posted by sarmad View Post
    It's a bad technology anyway. They may as well just drop it altogether rather than only dropping the NSA reference. It's bad because it's over complicated, and when something is over complicated it leaves room for mistakes that result in security holes. I remember needing to turn it off whenever I needed to test my web server back in the days when I was using Fedora before getting fed up with SELinux and jumping distros.
    Reaching out to shake hands
    While i just posted a way longer version of my selinux story, yours sums up my early-on experience with it (distro hopping included) quite well.

    Leave a comment:


  • torsionbar28
    replied
    Originally posted by sarmad View Post
    It's a bad technology anyway. They may as well just drop it altogether rather than only dropping the NSA reference. It's bad because it's over complicated, and when something is over complicated it leaves room for mistakes that result in security holes. I remember needing to turn it off whenever I needed to test my web server back in the days when I was using Fedora before getting fed up with SELinux and jumping distros.
    Yikes, it's really not that complicated to use. Your web server is likely more complicated than SELinux to configure and use. SELinux has one log file for you to tail. It has a bunch of global booleans you can set. And lastly you can allow or deny specific behaviors. If you are disabling SELinux to "make something work", you are very much doing it wrong. There is so much documentation available online nowadays too, there really is no excuse for turning off SELinux to "make something work".

    Leave a comment:


  • chuckula
    replied
    I didn't use SELinux specifically but way way back in the day I wrote my own LSM (Linux Security Module) for grad school that used the same OS hooks as SE Linux for Domain & Type Enforcement in grad school. It was fun showing root failing to delete the /bin directory in a live demo.

    Leave a comment:


  • markg85
    replied
    Selinux. the single most annoying linux component ever build. Which is imho still true to this very day.

    Here'a a "fun" little story about that single feature changing my linux distro usage. Many many many years ago i was a fedora user. At that time selinux was either brand new or was just coming to regular distributions (don't quite recall which one it was), fact is that i began noticing it. In the early days that was with a true shitload of security policy notifications approving or denying requests. I think not long after that insanity Torvalds made a remark that printers should not need root? Anyhow, i digress. This never ending flow of just total linux usage pain caused me to disable selinux on every new install that had it. Problems gone, happy user

    But every new install had it and did require that disabling. Over time that too fed me up so i moved to a distribution that was more aligned with my use of linux. Arch linux was that distribution. Turns out that Arch just doesn't support selinux at all. Never has and doesn't till this day (though you can get it if you want it).

    Now fast forward to a couple weeks ago where i was installing a VPS node. Don't quite remember if it was using Almalinux or that other centos derived one. What usually took me a couple minutes (setting up docker and running my container) now took a couple days of debugging. My issue? I was mounting a volume inside a docker container that i wanted to modify from outside the container (think of config files). Nothing wrong with that setup, it's very common. Yet somehow docker - or rather podman specifically in this case - just downright refused to work with permission denied errors. After many head-scratching hours of debugging i went with root for the files both inside and outside of the container, that too didn't work. Something somewhere was very persistently blocking it. Noting, absolutely nothing at all, was even remotely hinting at selinux at this point. Yet upon discovering it being enabled and running, disabling it fixed my case. In hindsight the :z volume mount option would've probably saved me and play nice with selinux. Remember though, i didn't know it was selinux to cause this thus searching for fix to that permission denied error also didn't bring up any results indicating that i needed to add that option.

    I wasn't expecting to be bitten that hard by selinux again, but yeah, i was. It's a monstrous dumb bullshit piece of tech that should be thoroughly killed from linux in my opinion. And yes, that's only because it's so freaking stealthy in the background where you don't even know that it is causing your troubles. It would've been much better if it somehow were communicated better. But then again, a distribution like Arch - that thrives these days - doesn't use selinux at all. So if they don't need it why would i even bother using it? The tech is pointless in my view.

    I'm sure it has a special place for some people. To those: have fun with it. I've been bitten by it yet again and will very happily disable it again on new installs.

    There's always the people here too who are like security addicted and enable every feature that adds more security. Fine by me, you do you, i do me. Don't try to convince me to run that garbage.

    Leave a comment:


  • billyswong
    replied
    Originally posted by skeevy420 View Post
    All things considered, I'm more worried about the Chinese and TikTok than I am the Americans and SELinux. One is a closed source app with ties to the Chinese Communist Party/Government that requires you to disable security protections to fully work whereas the other one is an open source security protection that tries to keep us safe from nefarious actors.

    It also doesn't help that TikTok uses different algorithms for different countries and peoples and the one used for Americans and western society pushes content to intentionally divide and anger Americans.

    TikTok is literally the Communist Party Propaganda Machine.
    There is also Zoom, with Chinese capital and Chinese boss behind. And it is harder to avoid as use of Tiktok is entirely voluntary while Zoom less so.

    Leave a comment:


  • skeevy420
    replied
    All things considered, I'm more worried about the Chinese and TikTok than I am the Americans and SELinux. One is a closed source app with ties to the Chinese Communist Party/Government that requires you to disable security protections to fully work whereas the other one is an open source security protection that tries to keep us safe from nefarious actors.

    It also doesn't help that TikTok uses different algorithms for different countries and peoples and the one used for Americans and western society pushes content to intentionally divide and anger Americans.

    TikTok is literally the Communist Party Propaganda Machine.

    Leave a comment:


  • avis
    replied
    The patch looks completely logical to me.

    The original wording makes it sound like NSA is a sort of purveyor/company behind SELinux and should be talked to if you have any issues with SELinux which is not the case.

    SELinux has been almost entirely RedHat's/community effort for the past 15 years or so.

    man selinux still shows all the necessary info:

    NAME
    SELinux - NSA Security-Enhanced Linux (SELinux)

    DESCRIPTION
    NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating system. The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type EnforcementĀ®, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at https://github.com/SELinuxProject.

    Leave a comment:


  • billyswong
    replied
    Originally posted by archkde View Post

    This just doesn't make sense, it's not "Immunix AppArmor" or "NTT Tomoyo" either.
    So the whole thing is someone in NSA got over-confident in their brand and thought putting their name on it would boost the reputation of SELinux. But no, as long as governments around the world like to eavesdrop people for the sake of "national security" or "anti-terrorism", their involvement will just stain any software/hardware projects about information security.
    Last edited by billyswong; 30 August 2023, 06:24 AM.

    Leave a comment:


  • Danny3
    replied
    WTF?
    I agree with others, this change should be refused.
    Stop trying to rewrite history!

    Leave a comment:

Working...
X