On 11/10/25 6:52 AM, Sam Varshavchik wrote:
According to Google Skynet, Fedora Core 3 was the first release that had
SELinux enabled by default.
That was more than 20 years ago.
I think that 20 years is more than long enough for this kind of
technology to mature, and work the kinks out, and then it's smooth
sailing from that point on.
Yet, for the umpteenth time I have to create yet another bug for an AVC
failure, and watch it being dupe-hammered, and everyone else's reports
also having the same fate, for the next year or so. Why?
I have to conclude that there's something fundamentally broken with
SELinux. SELinux AVC denials should be rare. Like once in a blue moon.
The fact that they still come out of the firehose, non-stop, and some
poor soul has to chase down as many as possible, letting all others
expire and autoclose – that is not right. This shouldn't happen.
The current state of affairs would not be unreasonable say, within the
first five years of SELinux's existence. But not 20 years later. Come
on. Either fix the fscking thing, or get rid of it. When I have to
install a cron job to run restorecon every five minutes, while the
corresponding bug ages, that's a big honking clue that something is
wrong in the state of Denmark.
I might be wrong, but AFAIK Fedora/RHEL is the only Linux distribution
that still screws around with SELinux. Google Skynet also mentioned that
something called "Amazon Linux" also has SELinux enabled. Who? That
doesn't count. So, resuming: if anyone ever wonders why only Fedora/RHEL
bothers with SELinux, hopefully this clears it up. I believe that
SELinux is fundamentally broken, and I don't think it's fixable in its
current state. Fortunately, it is easy to turn it off. But is that what
SELinux's advocates will say is the solution? Really? And if not, what /
is/ the solution?
Can someone come up with the answer to the following answer: what can,
and should be done, to fix the constant pain point of AVC denials,
permanently?
Have you watched this video? https://www.youtube.com/watch?v=_WOKRaM-HI4
The slides are available at
https://people.redhat.com/tcameron/Summit_2018/selinux/
SELinux generally only throws errors if you're doing something
unexpected. I use both RHEL and Fedora pretty extensively, and I get
SELinux errors once in a blue moon. I'm not arguing with your experience
at all - I get how frustrating SELinux can be. That's why I did that
video at Red Hat Summit. I just don't see errors very often, and when I
do, it's pretty easy to fix them once you know how.
If you want to post specifically what you have run into, I'd be happy to
offer what advice I can.
--
Thomas
--
_______________________________________________
users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
