Impedance matching for BPF and LSM

Posted Feb 27, 2020 19:33 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: Impedance matching for BPF and LSM by rahulsundaram
Parent article: Impedance matching for BPF and LSM

Again, these are all niche users, very much in line with "crazy NSA-like tailored environments" where a small cabal of engineers produces a package and end-users are not supposed to tinker with it.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 19:50 UTC (Thu) by pizza (subscriber, #46) [Link] (3 responses)

Android's SELinux-enabled "niche" has between one and two orders of magnitude larger deployment than every other use of the Linux kernel combined.

(If anything, "general purpose UNIX-like Linux" is the actual niche use case these days..)
("niche" does not mean "

Impedance matching for BPF and LSM

Posted Feb 27, 2020 19:53 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Sure. As I said, Android or CoreOS are basically examples of NSA-like crazy environments. They are specifically designed to be inflexible with as few tuning knobs accessible by end-users (or application developers) as possible.

It's no wonder that SELinux can work within these environments.

SELinux still fails within environments that require flexibility or extensibility.

Impedance matching for BPF and LSM

Posted Feb 29, 2020 12:31 UTC (Sat) by cpitrat (subscriber, #116459) [Link]

Reading this thread gives me the impression that you talked about niche usage not knowing it was widely used and are now calling anything that uses it a niche usage just to avoid admitting you're wrong. I may be wrong of course, but your definition of niche usage seems very unusual. I'd say your usage of niche is a niche usage.

Impedance matching for BPF and LSM

Posted Feb 29, 2020 20:45 UTC (Sat) by zlynx (guest, #2285) [Link]

> SELinux still fails within environments that require flexibility or extensibility.

Only with administrators who can't be bothered to learn how it works.

This reminds me of PHP web developers who can't be bothered to learn Unix file permissions and mark everything chmod 777.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:13 UTC (Thu) by SEJeff (guest, #51588) [Link] (6 responses)

Redhat Enterprise Linux nice and "crazy NSA-like tailored environments"? As is my laptop currently running Fedora? I'm a longtime fan of your comments, but this is a bit much Cyberax.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

I've yet to see Enterprise RedHat with SELinux in enforcing mode. I've only heard that they exist somewhere.

Many RedHat forks (Amazon Linux, Scientific Linux) also pretty much ignore SELinux and barely test it.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:39 UTC (Thu) by mohg (guest, #114025) [Link] (1 responses)

I've used Scientific Linux (6, 7) and CentOS (8) with SELinux enforcing (on 7 and 8; can't remember about 6) for 6+ years. Works fine for me. I find it a well documented and implented feature.

As a binary rebuild of RHEL, Scientifix Linux supports whatever the equivalent RHEL does.
I have no idea in what sense it could be said to "pretty much ignore SELinux".

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:46 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

> As a binary rebuild of RHEL, Scientifix Linux supports whatever the equivalent RHEL does.
> I have no idea in what sense it could be said to "pretty much ignore SELinux".
The problem is that SL doesn't do anything with SELinux. If you use it as a RHEL rebuild it works just as RHEL.

However, plenty of software doesn't support it. Like SUN (RIP) Grid Engine forks, or good old Hadoop.

Impedance matching for BPF and LSM

Posted Feb 27, 2020 20:59 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

>I've yet to see Enterprise RedHat with SELinux in enforcing mode. I've only heard that they exist somewhere.

I have worked in multiple large enterprises which had SELinux in enforcing mode. I am not sure what this argument is about

Impedance matching for BPF and LSM

Posted Feb 29, 2020 2:14 UTC (Sat) by Rudd-O (guest, #61155) [Link]

All my machines run Fedora, and all run in enforcing mode.

Perhaps the "niche" is only on your mind, brah.

Impedance matching for BPF and LSM

Posted Mar 3, 2020 17:45 UTC (Tue) by frostsnow (subscriber, #114957) [Link]

As a counter to all the "we use Linux in enforcing mode" comments, at my current position we systematically disable SELinux & in order to not run into arcane permission issues.