I’m using Fedora in enforcing mode, and so are probably most Fedora users. SELinux is usually completely transparent on desktop[1]. Of course it can sometimes cause some issues you might be unprepared for.

The most recent one I can remember was configuring Postfix to perform local delivery to ~/.local-mail/inbox. I had to manually change security context for that directory. Or linking /var/www/foo to ~/foo is an example of something that you might expect to work, but would be blocked by SELinux.

But those are not the kind of things you would do on Android anyway. They use SELinux to strengthen the security framework they already have in place. SELinux is just the last line of defence for implementation bugs and things they might have missed. It would be completely unintrusive.

The NSA presentation is worth watching, they go through various Android exploits that could have been prevented by the policy they developed, without actually targeting those specific exploits.

https://www.nsa.gov/research/selinux/

[1] It’s also because it unfortunately isn’t actually used by most desktop applications, with some exceptions, like Chromium.

i am embarrassed to say this but rather than configure SELinux to do those little things - like local mail delivery or open a new socket for httpd - i tend to just disable it. i'll chalk it up to a usability problem on their part and not laziness to learn it on mine.

i'm familiar with it, i've written some policies in it, i remember when it was introduced. that said ... i don't use it.

Instead of disabling it, consider putting it into permissive mode. It logs violations but doesn't enforce any rules. It's a good way to get a feel for what it's doing. You can tweak the rules, view the logs, tweak some more, and work up to a tight policy before enabling.

Also, if you disable it, re-enabling requires that you relabel all of your files and reboot the system; the relabel process can take an impressive amount of time.

Switching between eforcing and permissive can be done on the fly with the setenforce command, no reboot required.

I do think that laziness is a virtue in a sysadmin when properly applied, but using selinux is in your best interest.

Laziness might be justified sometimes, but you may as well call it what it is.

You shouldn't feel embarrassed, SELinux is so fine-grained that a proper configuration is very difficult to attain.

Directly from the article: "The other key piece of information to get from the string file is that this is an optional mode..."

Surely vendors could choose to make it optional unless you have the correct permissions, could they not?

It's only disabled by clueless admins. The security gain from the tiny amount of work it takes to get working is massive.

Or admins who don't want to spend a day or two to learn about selinux and implications of adding it, then a couple more days to actually implementing proper policy for the company and deal with all the things you did not expect at first.

In reality it's not a tiny amount of work unless you're dealing with a single server. It's not a small amount of information to learn either. And it can have pretty bad effects if you happen to cut off your access by accident. So no, can't agree with the clueless admins comment.

That was ages ago at least with Fedora. I used to disable it as well, but I stopped doing this about 3 years ago.