Hacker News new | past | comments | ask | show | jobs | submit login

Looks interesting. SELinux by default is certainly a win, it seems that Linux has finally hit a tipping point where SELinux is a reasonable option (ie: someone else is going to do the work for you).

Unfortunately I'm just way more used to debian based systems, and I feel like having a mismatch in production would just lead to friction.

RHEL running with SELinux enabled has been a thing since I worked at Red Hat 12 years ago, and Amazon Linux 2 was based on a CentOS upstream that had the capability of running in that way. All certification had to happen with SELinux enabled, and any distro provided service was setup to run with full restrictions, and it was the default on for all Professional Services work.

However it became a problem once you used 3rd party software as step 1 of most install guides was to disable SELinux.

I use systemd units to start Oracle databases.

These come up unconfined by default in RHEL 7, but this behavior changed in RHEL 8.

I don't remember the specifics, but Oracle support confirmed that it should be assigned unconfined in the newer OS.

This is essentially "setenforce 0" for a process, as I understand it.

In RedHat or CentOS it was enabled by default as well for a long while. The problem was that if you installed custom software (not packaged by the distro) you had two options:

- create and install SELinux rules for it

- disable SELinux

Unfortunately most did not bother to learn how to do the first option so they go with the 2nd.

Besides the sibling answers, it has been enabled by default on Android for quite some time now, it is one of the mechanisms how they enforce the NDK being mostly about extending the Java/Kotlin userspace with native code and nothing else.

Yes, Android is in fact one of the major contributors to that 'tipping point' I was mentioning.

The irony with Android, is that from the userspace point of view it doesn't matter it runs on top of the Linux kernel.

So while they are the Linux distribution that takes advantage of almost all security knobs available, LinuxSE, seccomp, eBPF, userspace drivers,..., that is transparent to apps unless they try to see behind the curtain.

Yep, it's great. But they did do a lot of work to get system services and privileged Google Apps to behave in SELinux.

SELinux has always been a reasonable option but it’s just scarier than people are used to. I used Fedora for a couple of years and was surprised by how straight forward it was once I understood it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact