SElinux

The following is taken from a post to the WAUK list by James Firth of www.daltonfirth.co.uk

James, a 15-year Linux veteran (starting with Slackware in 1994) sees one significant hurdle to wider SELinux adoption – that when one comes across an application problem related to SELinux:
a.) Google (or your favourite search tool) is not as helpful as it can be when finding solutions for more general Linux issues
b.) Where a solution is available, it usually includes the advice “disable SELinux”

He’s no SELinux evangelist, doesn’t claim to be an expert – just a user – and acknowledges the varying views: it’s perhaps not suited to all environments, some purists argue it’s simply not needed, and it can be a royal P.I.T.A.

Enabling SELinux is easy. Set:

SELINUX=enforcing

In /etc/sysconfig/selinux and reboot. This is one of the few times in the Linux world that a reboot is genuinely needed, as the kernel needs to apply special labels to the unmounted file system.
At this point, some – many, in fact – will say that this will be the start of all your woes!

Recognising the frustrations with SELinux, cynical comments like this are what causes countless highly qualified sysadmins to abandon SELinux. And their abandonment of SELinux is why, when you come to Google an application error message, often the only advice you find is “disable SELinux”.

To the outsider it’s a black art: it’s not immediately obvious where to start when diagnosing problems, it’s often not even apparent that SELinux is the cause of the problems(!); and, even those “in the know” often get frustrated and end up disabling it (usually whilst coming under pressure to get a system working, fast).

But as with anything there’s a balance to be struck, and SELinux, in “enforcing mode” can be a valuable additional layer to the security “onion”.

So putting theory and politics aside, if you do want a practical introduction to SELinux, this is intended to be a quick primer.

Maybe now is the time for a new mantra: “Don’t be scared of SELinux”?

This wiki is intended as a simple introduction, not a comprehensive guide or a general discussion around SELinux. I’d like to keep it clear and as simple as it can be, and would encourage that any tangential topics be discussed on a new page.