LWN: Comments on "Impedance matching for BPF and LSM"

Impedance matching for BPF and LSM

frostsnow — Tue, 03 Mar 2020 17:45:36 +0000

As a counter to all the "we use Linux in enforcing mode" comments, at my current position we systematically disable SELinux & in order to not run into arcane permission issues.

Impedance matching for BPF and LSM

zlynx — Sat, 29 Feb 2020 20:45:30 +0000

> SELinux still fails within environments that require flexibility or extensibility.

Only with administrators who can't be bothered to learn how it works.

This reminds me of PHP web developers who can't be bothered to learn Unix file permissions and mark everything chmod 777.

Impedance matching for BPF and LSM

cpitrat — Sat, 29 Feb 2020 12:31:48 +0000

Reading this thread gives me the impression that you talked about niche usage not knowing it was widely used and are now calling anything that uses it a niche usage just to avoid admitting you're wrong. I may be wrong of course, but your definition of niche usage seems very unusual. I'd say your usage of niche is a niche usage.

Impedance matching for BPF and LSM

Rudd-O — Sat, 29 Feb 2020 02:14:21 +0000

All my machines run Fedora, and all run in enforcing mode.

Perhaps the "niche" is only on your mind, brah.

Impedance matching for BPF and LSM

beagnach — Thu, 27 Feb 2020 22:34:28 +0000

> Android is a niche system, it's not a general-purpose operating system.

Again... "niche" and billions just don't seem to fit together. If you're wanting to contrast with "general purpose" why not just use the term "special purpose"?

Sorry to be nit-picky but I find your use of that term in this context quite jarring.

Impedance matching for BPF and LSM

rahulsundaram — Thu, 27 Feb 2020 20:59:09 +0000

>I've yet to see Enterprise RedHat with SELinux in enforcing mode. I've only heard that they exist somewhere.

I have worked in multiple large enterprises which had SELinux in enforcing mode. I am not sure what this argument is about

Impedance matching for BPF and LSM

Cyberax — Thu, 27 Feb 2020 20:46:43 +0000

> As a binary rebuild of RHEL, Scientifix Linux supports whatever the equivalent RHEL does.
> I have no idea in what sense it could be said to "pretty much ignore SELinux".
The problem is that SL doesn't do anything with SELinux. If you use it as a RHEL rebuild it works just as RHEL.

However, plenty of software doesn't support it. Like SUN (RIP) Grid Engine forks, or good old Hadoop.

Impedance matching for BPF and LSM

mohg — Thu, 27 Feb 2020 20:39:08 +0000

I've used Scientific Linux (6, 7) and CentOS (8) with SELinux enforcing (on 7 and 8; can't remember about 6) for 6+ years. Works fine for me. I find it a well documented and implented feature.

As a binary rebuild of RHEL, Scientifix Linux supports whatever the equivalent RHEL does.
I have no idea in what sense it could be said to "pretty much ignore SELinux".

Impedance matching for BPF and LSM

Cyberax — Thu, 27 Feb 2020 20:18:38 +0000

I've yet to see Enterprise RedHat with SELinux in enforcing mode. I've only heard that they exist somewhere.

Many RedHat forks (Amazon Linux, Scientific Linux) also pretty much ignore SELinux and barely test it.

Impedance matching for BPF and LSM

SEJeff — Thu, 27 Feb 2020 20:13:29 +0000

Redhat Enterprise Linux nice and "crazy NSA-like tailored environments"? As is my laptop currently running Fedora? I'm a longtime fan of your comments, but this is a bit much Cyberax.

Impedance matching for BPF and LSM

Cyberax — Thu, 27 Feb 2020 19:53:58 +0000

Sure. As I said, Android or CoreOS are basically examples of NSA-like crazy environments. They are specifically designed to be inflexible with as few tuning knobs accessible by end-users (or application developers) as possible.

It's no wonder that SELinux can work within these environments.

SELinux still fails within environments that require flexibility or extensibility.

Impedance matching for BPF and LSM

pizza — Thu, 27 Feb 2020 19:50:55 +0000

Android's SELinux-enabled "niche" has between one and two orders of magnitude larger deployment than every other use of the Linux kernel combined.

(If anything, "general purpose UNIX-like Linux" is the actual niche use case these days..)
("niche" does not mean "

Impedance matching for BPF and LSM

Cyberax — Thu, 27 Feb 2020 19:33:55 +0000

Again, these are all niche users, very much in line with "crazy NSA-like tailored environments" where a small cabal of engineers produces a package and end-users are not supposed to tinker with it.

Impedance matching for BPF and LSM

rahulsundaram — Thu, 27 Feb 2020 18:20:45 +0000

>Yet Android is a niche system, it's not a general-purpose operating system

You would have to discount Android, Chrome OS, RHEL/CentOS, Fedora, CoreOS and several others

There are more mobile/tablet/chromebook users using their devices for all sorts of things. I think that would qualify as general purpose anyway

Impedance matching for BPF and LSM

Cyberax — Thu, 27 Feb 2020 18:01:21 +0000

Yet Android is a niche system, it's not a general-purpose operating system. It's specifically designed for one particular use-case with all the design decisions being guided by it.

So as a result, Android now looks almost nothing like Unix.

Impedance matching for BPF and LSM

theonewolf — Thu, 27 Feb 2020 17:04:43 +0000

SELinux is also a core piece of Red Hat Enterprise CoreOS and the OpenShift distribution of Kubernetes.

That makes it being used in Microsoft Azure (OpenShift offering) and other places where OpenShift is being deployed (AWS, on premise).

Impedance matching for BPF and LSM

beagnach — Thu, 27 Feb 2020 10:47:26 +0000

Using the word "niche" to describe a technology with an install base in the billions doesn't really feel quite right.

Impedance matching for BPF and LSM

re:fi.64 — Thu, 27 Feb 2020 05:11:40 +0000

Your post was saying it was still in the same niche. Regardless of Android's status, it's still using SELinux, this it's pretty easy to say it has acquired widespread use and more notably on consumer devices.

Even then, RHEL uses SELinux by default and has widespread use in enterprise.

Impedance matching for BPF and LSM

Cyberax — Wed, 26 Feb 2020 23:55:46 +0000

Thank you for confirming my post. Modern Android OS is about as far from regular Unix as it can get.

Impedance matching for BPF and LSM

TheJH — Wed, 26 Feb 2020 23:54:04 +0000

SELinux runs on every (non-ancient) Android phone.

Impedance matching for BPF and LSM

Cyberax — Wed, 26 Feb 2020 23:27:30 +0000

> When LSM was introduced it was expected to be used by the lunatic fringe people with government mandated security requirements. Today it has a much greater general application.
Uh no. SELinux is still pretty much in the same niche.