I believe SELinux needs active support from your distribution
We have a single machine that uses SELinux, because it has a need for an unusually thorough level of security. This machine runs CentOS 7, because at the time we built this machine (several years ago), CentOS 7 was the obvious long term support Linux to use to get a high security, SELinux based environment. Since CentOS has effectively imploded, we are going to need to replace that machine with some other distribution before the middle of 2024, and the default choice is Ubuntu.
If we're going to build a new Ubuntu based machine for this role, one question is whether or not we want to try using SELinux. I've been thinking about this, and my answer so far is no. I don't think we want to try to make SELinux work on Ubuntu. If you do a little bit of Internet searching, there are obvious warning signs, such as the minimal state of the Ubuntu wiki SELinux page and its warnings (and relatedly the various cautions on the Debian pages). However, I feel there is a more general reason, which is that in practice, SELinux needs active support from your distribution and Canonical is not interested in doing this because they expect you to use AppArmor (in fact they try to make you use it).
My strong impression is that the real work of SELinux is in SELinux policies and related to them, all of the labeling that you need to make policies work. These policies and labeling interact with choices that distributions make, such as what programs are called (is it 'exim' or 'exim4') and where programs put and expect their files. As a result, SELinux requires a certain amount of distribution specific work and development, and if a distribution doesn't invest in that, you'll have issues using SELinux on it as SELinux either blocks things that you want to happen or allows things to happen that you don't want to (if the distribution sets very broad policies and labels in order to just get stuff going).
Red Hat and thus CentOS was (and is, as far as I know) quite committed to SELinux. I'm not sure if there are any other Linux distributions that are, especially distributions with releases that get long term support. Debian's wiki pages suggest that it's not one of them.
(I expect that AppArmor can be used to meet our needs, once we re-analyze them for a replacement system. We've long since lost our knowledge of how exactly SELinux is set up on that system and what our security goals are, since we touch it as little as possible.)
Comments on this page: