What the SELinux community should be doing

June 10, 2013

Beyond a new errno value for SELinux I don't have any specific technical suggestions for things to do to SELinux to make it work better. Instead I think that the real next steps are social ones (because the most pressing issue is a social one). As it stands the SELinux community is simply not ready to start fixing any technical problems because they clearly do not understand the real problems.

The community's first job should be to understand the real problems that exist, both with SELinux and in general, and to think deeply about how and whether SELinux can solve them (and if there are some problems that SELinux cannot solve and should gracefully bow out from). One vitally important thing here is to actually shut up and listen to the significant number of sysadmins who have problems with SELinux (I say 'shut up' because the last thing the SELinux community needs right now is yet another round of their toxic mistake).

Put another way, SELinux needs to solve real problems and by 'real problems' I mean problems that are actually affecting people in the real world (not theoretical possibilities of threat models). If it cannot solve real problems for people it needs to at least not get in the way. The current situation that many sysadmins are experiencing is that SELinux does not solve real problems and it also gets in the way. The SELinux community needs to fix that (and the answer is not 'lecture sysadmins more' aka 'user education', that's the toxic answer). Step zero of fixing it is understanding how and why SELinux is not helping sysadmins and that requires actually listening to them when they tell you.

(Trust me, if you start genuinely listening people will give you an earful. The SELinux community will probably not like what it hears and think that some of it is wrong, but shut up and listen. It doesn't matter what reality is; what matters here is what sysadmins perceive and believe. Only once you genuinely understand someone's perspective can you begin thinking carefully about how you might change it. You might also come to the uncomfortable conclusion that there is truth in their position.)

My personal view is that the SELinux community should also consider the idea that SELinux is only a good fit for certain sorts of machines. It may be that part of the solution is actually a recommendation that people should normally turn SELinux enforcement off on some sorts of systems.

Written on 10 June 2013.
« SELinux should have its own errno value
The good and bad of IPS (as I see it) »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jun 10 01:17:07 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.