Title.
I’ve encountered it very little, but when I encounter it it’s because I try to do something and it doesn’t work. So I check the permissions with
ls -l, and it all seems reasonable. Huh, this should work. Try again, nope. Hmm. 20 minutes of trying random variations, strange results. Oh fuck, is this SELinux? Shit. Where do those configs exist again? How do I configure that? Google “SELinux cheat sheet” hmmm, I don’t have enough context to use that, Google “SELinux getting started”. Read tutorial, try to skim just enough to figure out what’s going wrong for me.So I don’t hate it, I just haven’t ever had a use for it, but it has surprised me in a bad way before and cost me a lot of time and confusion, but I’ve never spent the time getting familiar because I’ve never had a use for it. And it comes up rarely enough I never remember anything about it by the time it bites me. I can’t even recall now what I was trying to do the last time I bumped into it.
Absolutely this.
33 years in Linux, 30+ professionally, Unix+Linux security background in a past life at a fucking distro.
When I first install a new distro version, I do something very simple; maybe I configure a simple web page, for instance.
Usually the web server refuses to start, or something equally “so dumb it should have been seen in early testing and doesn’t even get to the challenge I set before it” stupid. If the distro can’t test something so basic, then I know they’re not prepared to consider selinux implications while maintaining or debugging the distro. I don’t need to blaze a trail the distro can’t be arsed to.
Then I mod away the config in my template and hope the distro can pull out their proverbial head in 5 years.
The easiest path needs to be the safest path
It’s awesome, but very complicated to use and overkill for most homegamer setups.
The first interaction most people have with it is when it stops something they want to do from working and it’s not obvious why. Then the first selinux command they learn is how to disable it.
Always seemed way too enterprisy for my taste.
I’m a sysadmin and I don’t understand it, so I just set it to permissive so it doesn’t interfere with my work.
The machine is behind a firewall anyway so it’s safe.After switching between distros for 8+ years and settling on Fedora KDE, I don’t think I’ve ever had SELinux get in my way for anything.
Linux permissions are obvious, straightforward, and very easy to change - They rule.
SELinux permissions are impossible to see, seemingly pointlessly more complex, and I don’t know how to check them or change them i.e. They drool.
As a power user who is constantly changing system stuff, installing weird stuff, running weird servers, disabling SELinux is like, step 2 of installing Linux for me (and honestly, even if you’re not a power user, I can assure you at least ONE issue you’ve faced was actually caused by SELinux under the hood). I have wasted whole days working out just that SELinux is causing my fucking issue, and then days more on how to fix the permissions, and then days more doing those again when those permissions RESET as it is wont to do and days more trying to make my needed changes permanent. And let’s not even get started on how to transplant an SELinux permissions structure from one disk to another. So instead of a week’s worth of frustrating work every year, I can spend one minute disabling SELinux.
Its implementation feels contradictory to the most basic principles of understandable and workable systems. It’s like the NSA wanted to make software that was the diametric opposite of the Zen of Python. It’s ugly, it’s implicit, it’s complicated, nested, dense, unreadable, full of special cases, and silent errors, it constantly guesses in the face of ambiguity (which is why I have to constantly correct it).
Basically, I have wasted too much of my life faffing with an opaque and ludicrously complex permissions layer that seems to be there solely as a ‘just in case’ my already existing permissions aren’t good enough.
Honestly I am kind of afraid of Linux still. I hide inside Emacs. These eorts of tips are really helpful.
If you’re mandated or regulated to MLS or MAC etc, SELinux is a security control that enables you to comply through expanded and expressive policy controls.
When I hear dislike for it, it’s usually because people are using SELinux as a “make my personal computer safer” tool rather than the “we’ve hundreds of thousands of differently classified sensitive documents and thousands of employees with different clearances”.
MAC/DAC/MLS isn’t designed for personal computing and if you think SELinux is the solution you personally need, you might need to reevaluate your threat model (as any external actor will seek to bypass kernel controls entirely e.g. CVE-2025-0078).
I no reasons for disliking it. SELinux is an incredibly powerful security tool.
It’s a pain in the ass when you want to run a web server on your PC. You have to disable SELINUX else the damn thing won’t let me modify html pages and show the updates. Everything is just frozen from making any changes. That said, it’s probably easier to do web development another way, my method is nearly two decades obsolete. SELINUX really pissed me off though. I wanted to test forum software on my PC once, and SELINUX was blocking me and I couldn’t figure it out for ages.
It’s an unnecessary layer of complexity. I am the only user of my personal laptop. I don’t need fine-grained permissions. Linux users and groups are enough for any permission needs I might have, like docker group, audio and video groups, etc. I don’t have any “classified” documents on my computer. My home directory and root are on different disks. I can easily format and reinstall my system if something goes wrong and keep all my personal data.
Having your home directory on a different disk is something that could’ve saved me a lot of headache. Can’t believe I didn’t think of that.
I think it’s becoming default on more and more Linux installers
In a lot of distros at least, you can just reinstall in place, which has the same effect. But a different place for /home does feel a potentially more reliable method.
You don’t have classified documents, but you probably use bank in your browser running as your user. Maybe you use local mail program to send emails, also running as your user. A simple malware could add emails to be send asking your family to send you some money through online service.
And that’s easily done because the only isolation layer is user and group.
I really don’t see how anyone can install malware on my computer. I know my way around computers enough to not do anything dumb. Of course if someone wanted, they would be able to hack my device, probably. But I am not a high value target and it would be a waste of their time and effort. In short, that’s a risk I am willing to take :)
So you think NONE of the software you use will ever get an exploit? “Not do anything dumb” only covers some threats, not all.
Plain and simple, with a supply chain attack.
Who said that? I really like it.
I Like the idea, But the Implantation ist complicated enough, that it Acts as a high Barrier to entry
Uh. I guess people have random opinions and blast them on the internet. I can see how someone would misconfigure their computer and then blame it on the software. Or use software they don’t need, which just adds unnecessary complexity and more issues. Other than that, I don’t think there’s anything wrong with SELinux.
I don’t dislike it. I have no opinion on it. It’s something I have never looked into heavily enough as it has never been a potential solution to a problem I may have encountered. There are no security or hardening areas that I currently class as gaps that need plugging in any of my systems where I would consider looking into selinux.
It was made by the NSA so that’s already minus 5 points right there.
I’m not kidding. Look it up on DDG.
the code is right there guy
