The problem with SELinux (still)
November 13, 2012
Here's a list of almost all of the bugs that got fixed in recent Fedora 17 SELinux policy update:
I want to emphasize that this is a completely typical bug list for a completely typical SELinux policy update. I have not cherry-picked an unusually long one; they are pretty much all like this.
Fedora has been using SELinux for years, probably at least half a decade by now. It is still fixing many, many instances where SELinux gets in the way of programs doing legitimate things that people want them to do. The progress that it has made in literally years is at best that these are somewhat more obscure programs doing somewhat more unusual things than they used to be. Using SELinux in non-mainstream environments still means a steady rain of these denials, all of them getting in your way.
(Distributions have spent years desperately trying to make it easier to deal with this rain, but it is still a pain in the rear. I run into it periodically on my laptop, which I still masochistically have SELinux turned on on.)
Note that this is not using SELinux in non-default configurations. These bugs are all (I assume) from stock configuration systems that SELinux just didn't quite cope with correctly.
At a meta-level all of these bugs happen because doing a complete inventory of legitimate program behavior is very hard, especially because it's not something that can be done automatically (at least currently). A fallible human has to stare a lot at a program to write its SELinux policy, and if they miss something you get another one of these bugs. People miss obscure corner cases a lot, especially when they are not intimately familiar with all of the aspects of the software.
Also, these are only the bug fixes for the bugs that people actually reported to Fedora. Since reporting Fedora bugs involves more than a little bit of work and pain I assume that any number of people don't bother to report SELinux problems that they run across; they either just tell the system to make things work or they turn SELinux off entirely.
Written on 13 November 2012.
* * *