I Hate SELinux. You Can Too. (Linux+ Objective 2.5.1)
Рет қаралды 10,678
Күн бұрынSELinux (Security Enhanced Linux) is a security system used in most RedHat based distributions. There's nothing really wrong with it, but it's confusing, frustrating, and far too complicated, in my humble opinion. Thankfully it comes with some pretty sane defaults.
It's OK if you don't hate it with me, but after this video, you'll be able to form an educated opinion of your own. Plus, it will prepare you for the Linux+ certification if that's something you're interested in getting!
The CompTIA Linux+ objectives are available here: snar.co/plusob...
WAYS TO SUPPORT SHAWN
---------------------------------------------
Patreon: / shawnp0wers
Merch: store.nerdling...
SuperStickers, etc!
WAYS TO SUPPORT EACH OTHER
-------------------------------------------------------
1) Be Kind
2) Answer comments/questions here
3) Ask/Answer questions on our Discord: snar.co/discord
WAYS TO FIND SHAWN OTHER PLACES
----------------------------------------------------------------
Landing Page: shawnp0wers.com
#linux #comptia #security
@charleschouteau2711 Жыл бұрын
Thank you Shawn, this is probably the clearest video about SELinux on youtube ! I remember discovering you like 10 years ago on the CBT nuggets videos for LPIC certification. Your enthusiasm, amazing teacher skills and your passion about Linux helped me a lot through the learning process, thank you for that and for the amazing content.
@shawnp0wers Жыл бұрын
Thank you! It can be such a confusing beast, I'm glad my explanation makes sense! Also glad you found me here! :)
@Starcloud1986 Жыл бұрын
I completely agree with you! Thanks Shawn Powers!
@cmtopchem Жыл бұрын
I tried in vain to understand SElinux in CompTIA Linux+, but you describe it so simply that it is really fun. A well spent half hour.
@shawnp0wers Жыл бұрын
Thank you!
@project_mini_hero Жыл бұрын
I want to thank you Shawn for your great content. I passed my exam today with your help. I found your videos a week ago and it was what I needed to not only reinforced what I had learned so far but actually allowed to me understand topics which other videos or course did not go into. Keep up the great work and I hope others find your content as informative as I did.
@shawnp0wers Жыл бұрын
First off -- CONGRATS! And thank you, that means a ton to me! :)
@scartyz762 5 ай бұрын
This randomly popped up in my recommendations, and watching your video I suddenly have the desire to install a distro that supports SELinux. You made me love it. Thank you.
@iamanikad 9 ай бұрын
I love SELinux. Sure the config is a pain, but I learned how to read the log file, set Booleans, configure contexts, etc. with a little bit of learning and effort, you too can be an SELinux pro! It’s a great addition to your server security and has prevented my web server from getting compromised.
@samu5167 Жыл бұрын
Thank you for the video. Feels like Internet has way too little information about SELinux.
@shawnp0wers Жыл бұрын
It can be such a tough topic. And while this certainly doesn't cover every detail of it, my hope was to make what it does understandable, and dealing with it possible. (Instead of just turning it off, which I'll admit I've done a LOT of times myself!)
@chrisc.4630 3 ай бұрын
I've been trying to figure out SELinux for months. In less than 15 minutes into your video I had my Eureka moment. Thanks!
@Agnubis Жыл бұрын
My first job as a sysadmin had me work on CentOS machines and I just hated SELinux. I have yet to meet anybody who likes it. Like you said though, it came from a good idea but the implementation and its user-friendliness are debatable.
@brentsaner Жыл бұрын
I like it. I deploy it in prod. It's proven to stop vulns that otherwise would have succeeded and given attackers access. There's a learning curve, but part of that is because of how flexible it is compared to something like AppArmor - just like any proper security engineering.
@szmonszmon 8 ай бұрын
You probably work with a people with skill issue. It happens...
@joshmc5882 18 күн бұрын
It has only really surface a couple of times on my stock fedora install, and that was when I changed the default folders that an app was writing to / reading from. Usually it justed worked.
@SlinkyD Жыл бұрын
This need to be the first intro to SELinux for everyone. I learned the hard way when it was rolled out. I hate it because it took me farther down the Linuxhole than I wanted to go.
@JayAdams-km5fq Жыл бұрын
Thanks!
@evanslawrence88 8 ай бұрын
Thank you Shawn. SELinux is definitely one of the most confusing topic on the Linux+ exam, but you have made it much more understandable.
@zuoreclame2821 3 ай бұрын
i know i am out of context, but can you please tell me the name of the lamp with bouncing colorurs :)
@szmonszmon 8 ай бұрын
"I Hate SELinux because it does what it was made to do" - corrected xD
@jl6693 6 ай бұрын
Thank you for the presentation, very useful. You hate it because it is complicated, I guess, and that's fair... don't tell anyone but because of that I don't like it that much either. It would've been more useful to touch more on the fields of "-Z" as I think there's a lot of info to be uncovered in there, then a bit more on the default policies and how to work with them, check on their details and so on. Not to forget the logfiles, extremely useful in the recent versions as you can read and do a copy/paste of commands needed to correct the issues. Maybe in a follow up video or something like a deep dive or tshoot etc. Thank you!
@walter_lesaulnier Жыл бұрын
The selinux log is hundreds of lines of the most incomprehensible log file I have ever seen. Great video- thanks. Helped my understanding a lot.
@shawnp0wers Жыл бұрын
Glad it helped!
@Recumbent_IT 7 ай бұрын
I can't even enable SElinux :D Installed a fresh copy of Rocky Linux which came with policycoreutils preinstalled but sestatus showed disabled. There was no config file in /etc/selinux/, but I created one a filled with SELINUX=enforcing/permissive, restarted the system after every change, but still disabled. Uninstalled policycoreutils, restarted the os, installed it again (still no config) file, restarted but still disabled. Installed it on Ubuntu where it created the config file, change the SELINUX value to permissive/enforcing, restarted but it's still disabled.
@Recumbent_IT 7 ай бұрын
Installed CentOS and it also doesn't have the config file and SElinux is disabled by default.
@Recumbent_IT 7 ай бұрын
Found the issue. I was using containers and WSL and apparently SElinux won't work on those. I've just spinned up a linux VM and it's enabled by default.
@kjakobsen Жыл бұрын
I think its a pity, that people have such a hate, for a technology this important. Even the teachers i had for Linux, teached us to turn it off completely. I don't like when we teach bad practices.
@shawnp0wers Жыл бұрын
I understand the concern over teaching bad practices - the thing about SELinux is that the added security it offers, particularly is the bulk of situations, pales in comparison to its complexity and the frustration it causes. A security practice is only as good as it’s usability, in a practical sense. Don’t get me wrong, I really do understand your frustration, and agree in spirit. But “the juice isn’t worth the squeeze” in my experience. I wish that weren’t the case.
@Agnubis Жыл бұрын
I tend to agree with Shawn with the caveat that if you work on systems that should be made highly secure in huge companies (yes, it's anyway always a good idea to harden your machines) you're going to want to use all the tools that you have at your disposal. If that means getting your hands dirty with SELinux and getting experienced with it, it'll probably be worth it in the long run as long as your team has a proper documentation that comes with how it's used on servers. However, just because something is important, like SELinux is, does not mean we can't dispute how it was implemented and its apparent complexity. I know that not everything can be made simple but especially when it comes to security which is so important nowadays, it's a good idea to, when possible, consider this when creating features (keeping in mind when SELinux was created, of course).
@jl6693 6 ай бұрын
@@Agnubisyeah probably for home setups use apparmor or nothing, but for enterprise it should be worth the effort.
@DigitalMetal Жыл бұрын
I also hate SELinux. I have very little experience with it but the experience i do have has always just been a headache. It doesn't seem to fix a problem and just makes things more complicated. If i don't want the web server accessing files, that's what file permissions or for. If I don't want people having web directories in their home directories, that's a setting in Apache. Adding a second step just confuses things and is more likely to break something.
@jl6693 6 ай бұрын
yes it is complicated, if it doesn't seem to add value to your situation(s) then it is ok not to use it, the learning curve is quite steep and big.
@cdrbvgewvplxsghjuytunurqwfgxvc 7 ай бұрын
That was an awesome overview
@4thatfilm Жыл бұрын
semanage @27:28 vs. setsebool
@TirajAdikari Жыл бұрын
Thank you Shawn .. you managed to make me hate SELinux too :D
@barma1309 3 ай бұрын
Den Walsh approved!
@Termonia 6 ай бұрын
What about the connection between Fedora, Red Hat, and the fact that SELinux was developed by the NSA? How is that supposed to be secure? How can I trust something like that, even if they say, 'Don't worry, it's open, people are reviewing it'? Plus, Fedora’s licenses include restrictions for countries not aligned with the US. OpenSUSE, which is kind of the European equivalent, uses AppArmor instead of SELinux. Why is that?
@Maisonier 6 ай бұрын
+1
@AriaTheDisciple 22 күн бұрын
It being developed by the NSA is even more of a reason to trust it in the same way you probably trust Tor despite being developed by DARPA. The source here doesn't matter the source code does and OpenSuse supports both security policy implementations. This is a very narrow way to look at.
@stanleyogadachinedu 10 ай бұрын
Thank you
@sveu3pm Жыл бұрын
great video.only why do you verlbalize commands so much. its much easier to do 0 1 2 then permissive enforcing and whatever is 3 shit. same with on off. off is 3 letters, 0 is only one. and you have to memorise off because it can theoreticaly also be disabled, or disable or remove
@stanleyogadachinedu 9 ай бұрын
I hate AppArmor lol
@sirmongoose Жыл бұрын
I hate se linux. Learned about it for months, kept getting permission context errors. Couldn't get anything to work so I just disabled it entirely
@12six69 9 ай бұрын
lmao
Naples Daily News
Рет қаралды 24 МЛН
The Linux Experiment
Рет қаралды 280 М.