As I've mentioned before, I started out with SELinux turned on on my laptop because it's essentially a stock Fedora install and that's how Fedora defaults, and using SELinux felt virtuous. Last year I reached the end of my patience with running SELinux in enforcing mode, where it actually denies access to things; instead I switched it to permissive, where it just whines about things that it would have forbidden and then a whole complicated pile of software springs into action to tell you about these audit failures with notifications, popup dialogs and so on. Today I gave up on that. My laptop now has SELinux disabled entirely (as my desktop machines have for years). The cause is simple: too many SELinux violations kept happening and especially too many new and different ones kept coming up. I am only willing to play whack a mole on notification alerts for so long before I stop caring entirely, and I reached that point today. The simplest and most easily reversed way to stop getting notifications about SELinux violations is to set the SELinux policy to disabled in /etc/selinux/config, so that's what I did. It's possible that some of the problem is due to just upgrading to Fedora 22 with yum instead of, say, fedup, and perhaps it could be patched up somewhat with 'restorecon -R /'. Perhaps a wholesale reinstall would reduce it even more (at the cost of putting me through a wholesale reinstall and then figuring out how to set up my environment and my account and keys and wifi access and VPNs and so on all over again). Certainly I assume that SELinux has to work for some people on Fedora. But I no longer care. I am done with being quixotically virtuous and suffering for it.

Thank you for uploading this!

Yeah great presentation Thomas, I've been using various distros of GNU/Linux for about 15yrs and openly admit to be a long time member of the setenforce 0; sed -i -e '/SELINUX=/s/enforcing/disabled/' /etc/selinux/config but at the same time I'm a strong believer in security / defense in depth and while SELinux can at first be hugely daunting (been putting it off for years as DAC seemed sufficient for my needs) it's only ended up taking a few days to not just get my head around it but also worked out exactly what I need to work within our production environment... well a bit of help from people like Dan Walsh perhaps. I can certainly see why SELinux won't be something people will be too accepting for their personal pc unless the policies shipped with their favourite apps are 100% but for servers the barriers like you've shown have really come way down. And a little immediate convenience trade off for a nice boost in security only makes sense to me, besides it's not too convenient when you find out you've been broken into.

Thank you so much, Thomas. This is so helpful. Now I know why my VM hung when I set it to enforcing and rebooted.

now i really feel like trying out selinux, this looks fairly usable.

I really appreciate that these videos are available for free, but the constant panning of the camera is very irritating.

Disable iptables, disable selinux, chmod 777 all the things because who needs security?

Great presentation with real world examples. Have to give it to the guy to keep the presentation super interesting.

great video just what i needed to fix my issues thank you

If you've got nothing better to do over the next 2 years you can become great at SELinux.

Or if you care about security on an internet facing server you could install OpenBSD which puts much more emphasis on getting the code correct in the first place and has far fewer CVE's than any Linux distro instead of just bolting on a clumsy RBAC system and pray it tangles up the horse as it leaves the barndoor but is acutally much more likely to kick the farmer in the groin.

that was very informative =)

Hello! Is there some equivalent written paper somewhere? Thank you very much!

In the face of this, for the SELinux community to feel that people are stupid, lazy, or ignorant for not jumping through the magic SELinux hoops and all would be well in the world if only they would mend their woeful ways is breathtakingly stupid and counterproductive. At a stroke it sabotages almost any chance SELinux might have to actually make meaningful improvements. Not that such improvements would be easy even if the SELinux community listened to what the world was telling them (because it's a hard problem), but if the community did listen they might at least have some sort of chance. (Not that this sort of blindness is new in security or in general.) (What I think the SELinux community should be doing is a sufficiently large issue that it doesn't fit in the margins of this entry. Of course it's an open question if SELinux can be saved or is worth saving in general given its origins; I think there's a real argument that SELinux's security model simply does not meet people's real security needs by design.)

Love it :-) hope it helps me to make Apache in a container work

Still open Bugzilla report though...

When people say 'this security tool is too hard to use, gets in my way, and isn't giving me any real benefits', telling them 'it's great if you only spend more time learning how to deal with it' is doubling down on your problems. If you then compound things by telling people that they are just stupid and lazy, don't be surprised if they immediately tune you out because you're acting like a zealot (you may or may not be one, it doesn't matter to people). It's been apparent for years that SELinux had serious problems in real life (regardless of what the theory says). For example, it's widely considered standard practice to disable SELinux immediately on server installs (as mentioned in the Twitter thread I got this from). The reason people reject SELinux in its current state is pretty simple: security is not their top priority. Unless you are a high risk target, spending almost any time beating SELinux into shape on your machine is a bad tradeoff and pretty much a waste (partly because SELinux is just a backup).

Someday the people at Red Hat that say things like this, yet never touch production systems in enterprise environments will realize that living in a bubble and assuming it's their way or the highway is no way to go through life.

NSA grade security topkek.

SELinux has problems. It has a complexity problem (in that it is quite complex), it has technical problems with important issues like usability and visibility, it has pragmatic problems with getting in the way, and most of all it has a social problem. At this point, I no longer believe that SELinux can be saved and become an important part of the Linux security landscape (at least if Linux remains commonly used). The fundamental reason why SELinux is beyond saving at this point is that after something like a decade of SELinux's toxic mistake, the only people who are left in the SELinux community are the true believers, the people who believe that SELinux is not a sysadmin usability nightmare, that those who disable it are fools, and so on. That your community narrows is what naturally happens when you double down on calling other people things; if people say you are an idiot for questioning the SELinux way, well, you generally leave. If the SELinux community was going to change its mind about these issues, the people involved have had years of opportunities to do so. Yet the SELinux ship sails on pretty much as it ever has. These people are never going to consider anything close to what I once suggested in order to change course; instead, I confidently expect them to ride the 'SELinux is totally fine' train all the way into the ground. I'm sure they will be shocked and upset when something like OpenBSD's pledge() is integrated either in Linux libraries or as a kernel security module (or both) and people start switching to it.

setenforce 0

Disable Selinux, you don't need it, anything can be done without using SELinux. But if you enable it, you will have a lot of issues. Like I got on my production system. Would you like the situation in which you install a small binary with its dependencies thorugh yum and think I am done. Log out the terminal and login back and you are getting authenticated but before getting shell it get automatically logged out. Ohh, why? am I the only person to experience it on that system? No, Any user on that system was not able to login even on VM console. Everyone was getting logged out as they logon. Then we called datacenter and restarted a production server (in weekdays) in order to fix the selinux to disabled in order to resolve the issue. Why not disable it before it bring you to such situations.

FFS thank you for this video. The theory made total sense, but the implementation didnt.

52 minutes about security enhancement that is for mere mortals? Really? Please check how easy Windows firewall is easy to setup, then compare it, and we may talk about what means simple to use and configure...

This guy is kind of annoying