[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Disabling SELinux's runtime disable

Disabling SELinux's runtime disable

Posted Apr 21, 2023 7:48 UTC (Fri) by taladar (subscriber, #68407)
Parent article: Disabling SELinux's runtime disable

The thing I personally do not like about SELinux is actually that some distros use SELinux, some use AppArmor, some use neither and if you want to use any sort of config management generated configuration that works on all of them you suddenly have to adjust the pointless differences between distros (e.g. different usernames or paths or config file names) in three or more places (in the actual config and in the policies) instead of just one.

If you forget (or don't know) about adjusting it in one SELinux policy you suddenly have to figure out why your configuration that works perfectly fine on a sane distro doesn't work on "distro that likes to use SELinux but also ancient versions for everything", either because some config option you use isn't supported on that distro or because SELinux blocks it which is often hard to distinguish because the C return code system doesn't give you some proper "blocked by SELinux" error but just some numeric error code that the majority of applications which don't explicitly handle SELinux errors probably logs (if you are lucky) as a generic permission denied or file not found,... error, often without even referencing the operation it tried to perform or the object it tried to perform it on.

to post comments

Disabling SELinux's runtime disable

Posted Apr 21, 2023 12:30 UTC (Fri) by ceplm (subscriber, #41334) [Link] (1 responses)

https://www.reddit.com/r/openSUSE/comments/118twi8/why_is...

Not speaking for SUSE, but it seems to me that we are switching from AppArmor to SELinux (at least with ALP and MicroOS, I guess Tumbleweed will follow as well, and the system I write this on is MicroOS with SELinux Enforcing and my office computer is Tumbleweed with SELinux also in the Enforcing mode).

It seems that the last stand of AppArmor is now Debian/Ubuntu. Debian has certainly enough strength to keep it alive, but otherwise there is a long list of Ubuntu-only projects which later died and where replaced by the projects used by the rest of the Linux universe.

Disabling SELinux's runtime disable

Posted Apr 21, 2023 14:23 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

> Not speaking for SUSE, but it seems to me that we are switching from AppArmor to SELinux (at least with ALP and MicroOS, I guess Tumbleweed will follow as well..

Interesting. Earlier SUSE explicitly noted this:
https://documentation.suse.com/sles/12-SP4/html/SLES-all/...
"Because many organizations are requesting SELinux to be in the Linux distributions they are using, SUSE is offering support for the SELinux framework in SUSE Linux Enterprise Server. This does not mean that the default installation of SUSE Linux Enterprise Server will switch from AppArmor to SELinux in the near future."

I am assuming the situation has evolved since then.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds