Thank you Shawn, this is probably the clearest video about SELinux on youtube ! I remember discovering you like 10 years ago on the CBT nuggets videos for LPIC certification. Your enthusiasm, amazing teacher skills and your passion about Linux helped me a lot through the learning process, thank you for that and for the amazing content.

@shawnp0wers

10 ай бұрын

Thank you! It can be such a confusing beast, I'm glad my explanation makes sense! Also glad you found me here! :)

@Starcloud1986

6 ай бұрын

I completely agree with you! Thanks Shawn Powers!

I tried in vain to understand SElinux in CompTIA Linux+, but you describe it so simply that it is really fun. A well spent half hour.

@shawnp0wers

11 ай бұрын

Thank you!

Thank you for the video. Feels like Internet has way too little information about SELinux.

@shawnp0wers

10 ай бұрын

It can be such a tough topic. And while this certainly doesn't cover every detail of it, my hope was to make what it does understandable, and dealing with it possible. (Instead of just turning it off, which I'll admit I've done a LOT of times myself!)

I want to thank you Shawn for your great content. I passed my exam today with your help. I found your videos a week ago and it was what I needed to not only reinforced what I had learned so far but actually allowed to me understand topics which other videos or course did not go into. Keep up the great work and I hope others find your content as informative as I did.

@shawnp0wers

11 ай бұрын

First off -- CONGRATS! And thank you, that means a ton to me! :)

Thank you Shawn. SELinux is definitely one of the most confusing topic on the Linux+ exam, but you have made it much more understandable.

I love SELinux. Sure the config is a pain, but I learned how to read the log file, set Booleans, configure contexts, etc. with a little bit of learning and effort, you too can be an SELinux pro! It’s a great addition to your server security and has prevented my web server from getting compromised.

This need to be the first intro to SELinux for everyone. I learned the hard way when it was rolled out. I hate it because it took me farther down the Linuxhole than I wanted to go.

My first job as a sysadmin had me work on CentOS machines and I just hated SELinux. I have yet to meet anybody who likes it. Like you said though, it came from a good idea but the implementation and its user-friendliness are debatable.

@brentsaner

8 ай бұрын

I like it. I deploy it in prod. It's proven to stop vulns that otherwise would have succeeded and given attackers access. There's a learning curve, but part of that is because of how flexible it is compared to something like AppArmor - just like any proper security engineering.

@szmonszmon

Ай бұрын

You probably work with a people with skill issue. It happens...

The selinux log is hundreds of lines of the most incomprehensible log file I have ever seen. Great video- thanks. Helped my understanding a lot.

@shawnp0wers

8 ай бұрын

Glad it helped!

That was an awesome overview

I can't even enable SElinux :D Installed a fresh copy of Rocky Linux which came with policycoreutils preinstalled but sestatus showed disabled. There was no config file in /etc/selinux/, but I created one a filled with SELINUX=enforcing/permissive, restarted the system after every change, but still disabled. Uninstalled policycoreutils, restarted the os, installed it again (still no config) file, restarted but still disabled. Installed it on Ubuntu where it created the config file, change the SELINUX value to permissive/enforcing, restarted but it's still disabled.

@Recumbent_IT

Ай бұрын

Installed CentOS and it also doesn't have the config file and SElinux is disabled by default.

@Recumbent_IT

Ай бұрын

Found the issue. I was using containers and WSL and apparently SElinux won't work on those. I've just spinned up a linux VM and it's enabled by default.

Thanks!

semanage @27:28 vs. setsebool

"I Hate SELinux because it does what it was made to do" - corrected xD

I think its a pity, that people have such a hate, for a technology this important. Even the teachers i had for Linux, teached us to turn it off completely. I don't like when we teach bad practices.

@shawnp0wers

11 ай бұрын

I understand the concern over teaching bad practices - the thing about SELinux is that the added security it offers, particularly is the bulk of situations, pales in comparison to its complexity and the frustration it causes. A security practice is only as good as it’s usability, in a practical sense. Don’t get me wrong, I really do understand your frustration, and agree in spirit. But “the juice isn’t worth the squeeze” in my experience. I wish that weren’t the case.

@Agnubis

11 ай бұрын

I tend to agree with Shawn with the caveat that if you work on systems that should be made highly secure in huge companies (yes, it's anyway always a good idea to harden your machines) you're going to want to use all the tools that you have at your disposal. If that means getting your hands dirty with SELinux and getting experienced with it, it'll probably be worth it in the long run as long as your team has a proper documentation that comes with how it's used on servers. However, just because something is important, like SELinux is, does not mean we can't dispute how it was implemented and its apparent complexity. I know that not everything can be made simple but especially when it comes to security which is so important nowadays, it's a good idea to, when possible, consider this when creating features (keeping in mind when SELinux was created, of course).

Thank you

Thank you Shawn .. you managed to make me hate SELinux too :D

I also hate SELinux. I have very little experience with it but the experience i do have has always just been a headache. It doesn't seem to fix a problem and just makes things more complicated. If i don't want the web server accessing files, that's what file permissions or for. If I don't want people having web directories in their home directories, that's a setting in Apache. Adding a second step just confuses things and is more likely to break something.

I hate AppArmor lol

great video.only why do you verlbalize commands so much. its much easier to do 0 1 2 then permissive enforcing and whatever is 3 shit. same with on off. off is 3 letters, 0 is only one. and you have to memorise off because it can theoreticaly also be disabled, or disable or remove

I hate se linux. Learned about it for months, kept getting permission context errors. Couldn't get anything to work so I just disabled it entirely

@12six69

3 ай бұрын

lmao