2016-05-25
SELinux is beyond saving at this point
SELinux has problems. It has a complexity problem (in that it is quite complex), it has technical problems with important issues like usability and visibility, it has pragmatic problems with getting in the way, and most of all it has a social problem. At this point, I no longer believe that SELinux can be saved and become an important part of the Linux security landscape (at least if Linux remains commonly used).
The fundamental reason why SELinux is beyond saving at this point is that after something like a decade of SELinux's toxic mistake, the only people who are left in the SELinux community are the true believers, the people who believe that SELinux is not a sysadmin usability nightmare, that those who disable it are fools, and so on. That your community narrows is what naturally happens when you double down on calling other people things; if people say you are an idiot for questioning the SELinux way, well, you generally leave.
If the SELinux community was going to change its mind about these
issues, the people involved have had years of opportunities to do
so. Yet the SELinux ship sails on pretty much as it ever has. These
people are never going to consider anything close to what I once
suggested in order to change course; instead, I
confidently expect them to ride the 'SELinux is totally fine' train
all the way into the ground. I'm sure they will be shocked and upset
when something like OpenBSD's pledge()
is integrated either in Linux
libraries or as a kernel security module (or both) and people start
switching to it.
(As always, real security is people, not math. A beautiful mathematical security system that people don't really use is far less useful and important than a messy, hacky one that people do use.)
(As for why I care about SELinux despite not using it and thinking it's the wrong way, see this. Also, yes, SELinux can do useful things if you work hard enough.)