I believe SELinux needs active support from your distribution

September 18, 2022

We have a single machine that uses SELinux, because it has a need for an unusually thorough level of security. This machine runs CentOS 7, because at the time we built this machine (several years ago), CentOS 7 was the obvious long term support Linux to use to get a high security, SELinux based environment. Since CentOS has effectively imploded, we are going to need to replace that machine with some other distribution before the middle of 2024, and the default choice is Ubuntu.

If we're going to build a new Ubuntu based machine for this role, one question is whether or not we want to try using SELinux. I've been thinking about this, and my answer so far is no. I don't think we want to try to make SELinux work on Ubuntu. If you do a little bit of Internet searching, there are obvious warning signs, such as the minimal state of the Ubuntu wiki SELinux page and its warnings (and relatedly the various cautions on the Debian pages). However, I feel there is a more general reason, which is that in practice, SELinux needs active support from your distribution and Canonical is not interested in doing this because they expect you to use AppArmor (in fact they try to make you use it).

My strong impression is that the real work of SELinux is in SELinux policies and related to them, all of the labeling that you need to make policies work. These policies and labeling interact with choices that distributions make, such as what programs are called (is it 'exim' or 'exim4') and where programs put and expect their files. As a result, SELinux requires a certain amount of distribution specific work and development, and if a distribution doesn't invest in that, you'll have issues using SELinux on it as SELinux either blocks things that you want to happen or allows things to happen that you don't want to (if the distribution sets very broad policies and labels in order to just get stuff going).

Red Hat and thus CentOS was (and is, as far as I know) quite committed to SELinux. I'm not sure if there are any other Linux distributions that are, especially distributions with releases that get long term support. Debian's wiki pages suggest that it's not one of them.

(I expect that AppArmor can be used to meet our needs, once we re-analyze them for a replacement system. We've long since lost our knowledge of how exactly SELinux is set up on that system and what our security goals are, since we touch it as little as possible.)

Comments on this page:

By remyabel at 2022-09-20 08:22:40:

Agreed. I think Redhat distributions are in fact the only distribution that have an actively maintained SELinux policy. On other systems it's optional and for all intents and experiences experimental. This leads to people having bad experiences with SELinux and disabling it. In those cases, they should be using Apparmor instead. SELinux has a track record of stopping remote exploits, so it's sad that it has such a bad reputation.

By Mike Carifio <mcarifio@ciq.co> at 2022-10-25 20:17:59:

You might find Rocky Linux (https://www.rockylinux.org/) a viable successor to your centos 7 system. Comes with selinux baked in already.

Written on 18 September 2022.
« Authenticated SMTP and IMAP authentication attacks and attempts we see here
Tangled issues with what status we should use for our HTTP redirects »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 18 22:41:54 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.