SELinux provides a strong security measure that can make an SELinux-enabled operating system a type of “fortress”: the so-called “confined users” [1] [2] [3], which add security and isolation capabilities that are in several respects comparable to containers but without many of their restrictions in GUI use cases (this topic is focused on desktop use cases, not server, infra, and such). By default, SELinux does not enforce much within user accounts but only around them. But in graphical desktop...
Fix the docs, improve error messages, and create a GUI to improve usage.
All of that is fine to do, but it won’t fix the issue of many commercial software requiring SELinux to be disabled; that will only be fixed by the software companies actually embracing and supporting SELinux by creating rule sets to allow their software to work with SELinux.
The problem is that companies don’t want to spend the time learning SELinux and supporting their software with SELinux. I’m an embedded Linux engineer and I see this all the time: companies are barely able to reach their product deadlines as-is; heaven forbid you add another requirement like SELinux to the mix.
Recently a supplier of ours announced that we could finally host their shitty java app on Linux instead of paying fucking Oracle for Solaris. So we were eager to hear the requirements. It was RHEL 8.4 or something, a version that was already EOL at the time.
All of that is fine to do, but it won’t fix the issue of many commercial software requiring SELinux to be disabled; that will only be fixed by the software companies actually embracing and supporting SELinux by creating rule sets to allow their software to work with SELinux.
I agree, but I don’t expect software companies to support it without clear documentation.
lack of documentation isn’t the problem
The problem is that companies don’t want to spend the time learning SELinux and supporting their software with SELinux. I’m an embedded Linux engineer and I see this all the time: companies are barely able to reach their product deadlines as-is; heaven forbid you add another requirement like SELinux to the mix.
Recently a supplier of ours announced that we could finally host their shitty java app on Linux instead of paying fucking Oracle for Solaris. So we were eager to hear the requirements. It was RHEL 8.4 or something, a version that was already EOL at the time.
They can’t even update their distros apparently.