|
|
Subscribe / Log in / New account

Impedance matching for BPF and LSM

Impedance matching for BPF and LSM

Posted Feb 26, 2020 23:54 UTC (Wed) by TheJH (subscriber, #101155)
In reply to: Impedance matching for BPF and LSM by Cyberax
Parent article: Impedance matching for BPF and LSM

SELinux runs on every (non-ancient) Android phone.

to post comments

Impedance matching for BPF and LSM

Posted Feb 26, 2020 23:55 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (17 responses)

Thank you for confirming my post. Modern Android OS is about as far from regular Unix as it can get.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 5:11 UTC (Thu) by re:fi.64 (subscriber, #132628) [Link]

Your post was saying it was still in the same niche. Regardless of Android's status, it's still using SELinux, this it's pretty easy to say it has acquired widespread use and more notably on consumer devices.

Even then, RHEL uses SELinux by default and has widespread use in enterprise.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 10:47 UTC (Thu) by beagnach (guest, #32987) [Link] (15 responses)

Using the word "niche" to describe a technology with an install base in the billions doesn't really feel quite right.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 18:01 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (14 responses)

Yet Android is a niche system, it's not a general-purpose operating system. It's specifically designed for one particular use-case with all the design decisions being guided by it.

So as a result, Android now looks almost nothing like Unix.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 18:20 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (12 responses)

>Yet Android is a niche system, it's not a general-purpose operating system

You would have to discount Android, Chrome OS, RHEL/CentOS, Fedora, CoreOS and several others

There are more mobile/tablet/chromebook users using their devices for all sorts of things. I think that would qualify as general purpose anyway

Impedance matching for BPF and LSM

Posted Feb 27, 2020 19:33 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (11 responses)

Again, these are all niche users, very much in line with "crazy NSA-like tailored environments" where a small cabal of engineers produces a package and end-users are not supposed to tinker with it.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 19:50 UTC (Thu) by pizza (subscriber, #46) [Link] (3 responses)

Android's SELinux-enabled "niche" has between one and two orders of magnitude larger deployment than every other use of the Linux kernel combined.

(If anything, "general purpose UNIX-like Linux" is the actual niche use case these days..)
("niche" does not mean "

Impedance matching for BPF and LSM

Posted Feb 27, 2020 19:53 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Sure. As I said, Android or CoreOS are basically examples of NSA-like crazy environments. They are specifically designed to be inflexible with as few tuning knobs accessible by end-users (or application developers) as possible.

It's no wonder that SELinux can work within these environments.

SELinux still fails within environments that require flexibility or extensibility.

Impedance matching for BPF and LSM

Posted Feb 29, 2020 12:31 UTC (Sat) by cpitrat (subscriber, #116459) [Link]

Reading this thread gives me the impression that you talked about niche usage not knowing it was widely used and are now calling anything that uses it a niche usage just to avoid admitting you're wrong. I may be wrong of course, but your definition of niche usage seems very unusual. I'd say your usage of niche is a niche usage.

Impedance matching for BPF and LSM

Posted Feb 29, 2020 20:45 UTC (Sat) by zlynx (guest, #2285) [Link]

> SELinux still fails within environments that require flexibility or extensibility.

Only with administrators who can't be bothered to learn how it works.

This reminds me of PHP web developers who can't be bothered to learn Unix file permissions and mark everything chmod 777.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:13 UTC (Thu) by SEJeff (guest, #51588) [Link] (6 responses)

Redhat Enterprise Linux nice and "crazy NSA-like tailored environments"? As is my laptop currently running Fedora? I'm a longtime fan of your comments, but this is a bit much Cyberax.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

I've yet to see Enterprise RedHat with SELinux in enforcing mode. I've only heard that they exist somewhere.

Many RedHat forks (Amazon Linux, Scientific Linux) also pretty much ignore SELinux and barely test it.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:39 UTC (Thu) by mohg (guest, #114025) [Link] (1 responses)

I've used Scientific Linux (6, 7) and CentOS (8) with SELinux enforcing (on 7 and 8; can't remember about 6) for 6+ years. Works fine for me. I find it a well documented and implented feature.

As a binary rebuild of RHEL, Scientifix Linux supports whatever the equivalent RHEL does.
I have no idea in what sense it could be said to "pretty much ignore SELinux".

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:46 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

> As a binary rebuild of RHEL, Scientifix Linux supports whatever the equivalent RHEL does.
> I have no idea in what sense it could be said to "pretty much ignore SELinux".
The problem is that SL doesn't do anything with SELinux. If you use it as a RHEL rebuild it works just as RHEL.

However, plenty of software doesn't support it. Like SUN (RIP) Grid Engine forks, or good old Hadoop.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:59 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

>I've yet to see Enterprise RedHat with SELinux in enforcing mode. I've only heard that they exist somewhere.

I have worked in multiple large enterprises which had SELinux in enforcing mode. I am not sure what this argument is about

Impedance matching for BPF and LSM

Posted Feb 29, 2020 2:14 UTC (Sat) by Rudd-O (guest, #61155) [Link]

All my machines run Fedora, and all run in enforcing mode.

Perhaps the "niche" is only on your mind, brah.

Impedance matching for BPF and LSM

Posted Mar 3, 2020 17:45 UTC (Tue) by frostsnow (subscriber, #114957) [Link]

As a counter to all the "we use Linux in enforcing mode" comments, at my current position we systematically disable SELinux & in order to not run into arcane permission issues.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 22:34 UTC (Thu) by beagnach (guest, #32987) [Link]

> Android is a niche system, it's not a general-purpose operating system.

Again... "niche" and billions just don't seem to fit together. If you're wanting to contrast with "general purpose" why not just use the term "special purpose"?

Sorry to be nit-picky but I find your use of that term in this context quite jarring.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 17:04 UTC (Thu) by theonewolf (guest, #118690) [Link]

SELinux is also a core piece of Red Hat Enterprise CoreOS and the OpenShift distribution of Kubernetes.

That makes it being used in Microsoft Azure (OpenShift offering) and other places where OpenShift is being deployed (AWS, on premise).


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds