Thank you Shawn, this is probably the clearest video about SELinux on youtube ! I remember discovering you like 10 years ago on the CBT nuggets videos for LPIC certification. Your enthusiasm, amazing teacher skills and your passion about Linux helped me a lot through the learning process, thank you for that and for the amazing content.
I love SELinux. Sure the config is a pain, but I learned how to read the log file, set Booleans, configure contexts, etc. with a little bit of learning and effort, you too can be an SELinux pro! It’s a great addition to your server security and has prevented my web server from getting compromised.
This randomly popped up in my recommendations, and watching your video I suddenly have the desire to install a distro that supports SELinux. You made me love it. Thank you.
I want to thank you Shawn for your great content. I passed my exam today with your help. I found your videos a week ago and it was what I needed to not only reinforced what I had learned so far but actually allowed to me understand topics which other videos or course did not go into. Keep up the great work and I hope others find your content as informative as I did.
It can be such a tough topic. And while this certainly doesn't cover every detail of it, my hope was to make what it does understandable, and dealing with it possible. (Instead of just turning it off, which I'll admit I've done a LOT of times myself!)
My first job as a sysadmin had me work on CentOS machines and I just hated SELinux. I have yet to meet anybody who likes it. Like you said though, it came from a good idea but the implementation and its user-friendliness are debatable.
I like it. I deploy it in prod. It's proven to stop vulns that otherwise would have succeeded and given attackers access. There's a learning curve, but part of that is because of how flexible it is compared to something like AppArmor - just like any proper security engineering.
This need to be the first intro to SELinux for everyone. I learned the hard way when it was rolled out. I hate it because it took me farther down the Linuxhole than I wanted to go.
Thank you for the presentation, very useful. You hate it because it is complicated, I guess, and that's fair... don't tell anyone but because of that I don't like it that much either. It would've been more useful to touch more on the fields of "-Z" as I think there's a lot of info to be uncovered in there, then a bit more on the default policies and how to work with them, check on their details and so on. Not to forget the logfiles, extremely useful in the recent versions as you can read and do a copy/paste of commands needed to correct the issues. Maybe in a follow up video or something like a deep dive or tshoot etc. Thank you!
I think its a pity, that people have such a hate, for a technology this important. Even the teachers i had for Linux, teached us to turn it off completely. I don't like when we teach bad practices.
I understand the concern over teaching bad practices - the thing about SELinux is that the added security it offers, particularly is the bulk of situations, pales in comparison to its complexity and the frustration it causes. A security practice is only as good as it’s usability, in a practical sense. Don’t get me wrong, I really do understand your frustration, and agree in spirit. But “the juice isn’t worth the squeeze” in my experience. I wish that weren’t the case.
I tend to agree with Shawn with the caveat that if you work on systems that should be made highly secure in huge companies (yes, it's anyway always a good idea to harden your machines) you're going to want to use all the tools that you have at your disposal. If that means getting your hands dirty with SELinux and getting experienced with it, it'll probably be worth it in the long run as long as your team has a proper documentation that comes with how it's used on servers. However, just because something is important, like SELinux is, does not mean we can't dispute how it was implemented and its apparent complexity. I know that not everything can be made simple but especially when it comes to security which is so important nowadays, it's a good idea to, when possible, consider this when creating features (keeping in mind when SELinux was created, of course).
I also hate SELinux. I have very little experience with it but the experience i do have has always just been a headache. It doesn't seem to fix a problem and just makes things more complicated. If i don't want the web server accessing files, that's what file permissions or for. If I don't want people having web directories in their home directories, that's a setting in Apache. Adding a second step just confuses things and is more likely to break something.
I can't even enable SElinux :D Installed a fresh copy of Rocky Linux which came with policycoreutils preinstalled but sestatus showed disabled. There was no config file in /etc/selinux/, but I created one a filled with SELINUX=enforcing/permissive, restarted the system after every change, but still disabled. Uninstalled policycoreutils, restarted the os, installed it again (still no config) file, restarted but still disabled. Installed it on Ubuntu where it created the config file, change the SELINUX value to permissive/enforcing, restarted but it's still disabled.
Found the issue. I was using containers and WSL and apparently SElinux won't work on those. I've just spinned up a linux VM and it's enabled by default.
What about the connection between Fedora, Red Hat, and the fact that SELinux was developed by the NSA? How is that supposed to be secure? How can I trust something like that, even if they say, 'Don't worry, it's open, people are reviewing it'? Plus, Fedora’s licenses include restrictions for countries not aligned with the US. OpenSUSE, which is kind of the European equivalent, uses AppArmor instead of SELinux. Why is that?
great video.only why do you verlbalize commands so much. its much easier to do 0 1 2 then permissive enforcing and whatever is 3 shit. same with on off. off is 3 letters, 0 is only one. and you have to memorise off because it can theoreticaly also be disabled, or disable or remove
Thank you Shawn, this is probably the clearest video about SELinux on youtube ! I remember discovering you like 10 years ago on the CBT nuggets videos for LPIC certification. Your enthusiasm, amazing teacher skills and your passion about Linux helped me a lot through the learning process, thank you for that and for the amazing content.
Thank you! It can be such a confusing beast, I'm glad my explanation makes sense!
Also glad you found me here! :)
I completely agree with you! Thanks Shawn Powers!
I love SELinux. Sure the config is a pain, but I learned how to read the log file, set Booleans, configure contexts, etc. with a little bit of learning and effort, you too can be an SELinux pro! It’s a great addition to your server security and has prevented my web server from getting compromised.
This randomly popped up in my recommendations, and watching your video I suddenly have the desire to install a distro that supports SELinux. You made me love it. Thank you.
I tried in vain to understand SElinux in CompTIA Linux+, but you describe it so simply that it is really fun. A well spent half hour.
Thank you!
I want to thank you Shawn for your great content. I passed my exam today with your help. I found your videos a week ago and it was what I needed to not only reinforced what I had learned so far but actually allowed to me understand topics which other videos or course did not go into. Keep up the great work and I hope others find your content as informative as I did.
First off -- CONGRATS! And thank you, that means a ton to me! :)
Thank you for the video. Feels like Internet has way too little information about SELinux.
It can be such a tough topic. And while this certainly doesn't cover every detail of it, my hope was to make what it does understandable, and dealing with it possible. (Instead of just turning it off, which I'll admit I've done a LOT of times myself!)
My first job as a sysadmin had me work on CentOS machines and I just hated SELinux. I have yet to meet anybody who likes it. Like you said though, it came from a good idea but the implementation and its user-friendliness are debatable.
I like it. I deploy it in prod. It's proven to stop vulns that otherwise would have succeeded and given attackers access. There's a learning curve, but part of that is because of how flexible it is compared to something like AppArmor - just like any proper security engineering.
You probably work with a people with skill issue. It happens...
I've been trying to figure out SELinux for months. In less than 15 minutes into your video I had my Eureka moment. Thanks!
This need to be the first intro to SELinux for everyone. I learned the hard way when it was rolled out.
I hate it because it took me farther down the Linuxhole than I wanted to go.
"I Hate SELinux because it does what it was made to do" - corrected xD
Thank you Shawn.
SELinux is definitely one of the most confusing topic on the Linux+ exam, but you have made it much more understandable.
The selinux log is hundreds of lines of the most incomprehensible log file I have ever seen. Great video- thanks. Helped my understanding a lot.
Glad it helped!
Thank you for the presentation, very useful.
You hate it because it is complicated, I guess, and that's fair... don't tell anyone but because of that I don't like it that much either.
It would've been more useful to touch more on the fields of "-Z" as I think there's a lot of info to be uncovered in there, then a bit more on the default policies and how to work with them, check on their details and so on. Not to forget the logfiles, extremely useful in the recent versions as you can read and do a copy/paste of commands needed to correct the issues.
Maybe in a follow up video or something like a deep dive or tshoot etc.
Thank you!
I think its a pity, that people have such a hate, for a technology this important. Even the teachers i had for Linux, teached us to turn it off completely. I don't like when we teach bad practices.
I understand the concern over teaching bad practices - the thing about SELinux is that the added security it offers, particularly is the bulk of situations, pales in comparison to its complexity and the frustration it causes.
A security practice is only as good as it’s usability, in a practical sense. Don’t get me wrong, I really do understand your frustration, and agree in spirit. But “the juice isn’t worth the squeeze” in my experience. I wish that weren’t the case.
I tend to agree with Shawn with the caveat that if you work on systems that should be made highly secure in huge companies (yes, it's anyway always a good idea to harden your machines) you're going to want to use all the tools that you have at your disposal. If that means getting your hands dirty with SELinux and getting experienced with it, it'll probably be worth it in the long run as long as your team has a proper documentation that comes with how it's used on servers. However, just because something is important, like SELinux is, does not mean we can't dispute how it was implemented and its apparent complexity. I know that not everything can be made simple but especially when it comes to security which is so important nowadays, it's a good idea to, when possible, consider this when creating features (keeping in mind when SELinux was created, of course).
@@Agnubisyeah probably for home setups use apparmor or nothing, but for enterprise it should be worth the effort.
i know i am out of context, but can you please tell me the name of the lamp with bouncing colorurs :)
I also hate SELinux. I have very little experience with it but the experience i do have has always just been a headache. It doesn't seem to fix a problem and just makes things more complicated. If i don't want the web server accessing files, that's what file permissions or for. If I don't want people having web directories in their home directories, that's a setting in Apache. Adding a second step just confuses things and is more likely to break something.
yes it is complicated, if it doesn't seem to add value to your situation(s) then it is ok not to use it, the learning curve is quite steep and big.
I can't even enable SElinux :D Installed a fresh copy of Rocky Linux which came with policycoreutils preinstalled but sestatus showed disabled. There was no config file in /etc/selinux/, but I created one a filled with SELINUX=enforcing/permissive, restarted the system after every change, but still disabled. Uninstalled policycoreutils, restarted the os, installed it again (still no config) file, restarted but still disabled. Installed it on Ubuntu where it created the config file, change the SELINUX value to permissive/enforcing, restarted but it's still disabled.
Installed CentOS and it also doesn't have the config file and SElinux is disabled by default.
Found the issue. I was using containers and WSL and apparently SElinux won't work on those. I've just spinned up a linux VM and it's enabled by default.
That was an awesome overview
semanage @27:28 vs. setsebool
Den Walsh approved!
Thanks!
Thank you Shawn .. you managed to make me hate SELinux too :D
What about the connection between Fedora, Red Hat, and the fact that SELinux was developed by the NSA? How is that supposed to be secure? How can I trust something like that, even if they say, 'Don't worry, it's open, people are reviewing it'? Plus, Fedora’s licenses include restrictions for countries not aligned with the US. OpenSUSE, which is kind of the European equivalent, uses AppArmor instead of SELinux. Why is that?
+1
Thank you
I hate AppArmor lol
great video.only why do you verlbalize commands so much. its much easier to do 0 1 2 then permissive enforcing and whatever is 3 shit. same with on off. off is 3 letters, 0 is only one. and you have to memorise off because it can theoreticaly also be disabled, or disable or remove
I hate se linux. Learned about it for months, kept getting permission context errors. Couldn't get anything to work so I just disabled it entirely
lmao