Tbf selinux tends to be a hell of a black box. Anytime my shit doesn’t work and I can’t explain why, I default to blaming selinux and hit up IT. Seems like I’m right about half the time lol
SELinux is super simple, you just gotta understand how the system works.
Once you understand the syntax and flow of SELinux policy then writing it is easy. Writing GOOD policy on the other hand …. Lmao.
Typically most IT departments “fix” it with setenforce 0 which is the equivalent of removing the seatbelt cuz you can’t figure out how to latch it.
Android has one of the most “robust” applications of it but it doesn’t serve the purpose a good policy does, it does add a substantial layer of defense. Apple contracted my company to come out and teach them how to SELinux a few years back. Ultimately they (companies that desire SELinux as an added layer of defense) tend to just pay “us” to do it instead lmao.
What I am saying is that it looks significantly more daunting then it truly is, once you understand the basic concept of it (which I’m positing is actually fairly simple) the rest follows easily.
Specifically here though I mean SELinux is “simple” if you understand how Linux works and operates, as you’re constraining syscalls and access
I think as a developer I just have no idea what policies are applied, so it’s just “somethings fucky here” all the time. Maybe an organizational issue :)
Yes, selinux is open source, I can look up the documentation, etc.
But since I’m not IT it isn’t my job to manage selinux - from my perspective it’s just something that rears it’s head when there’s a policy I didn’t know about that interferes with me running my stuff.
So from the perspective of it not justifying Inflated wages, you’re probably right? Anyone can learn it. But in my experience few developers do.
Amazon throws money at people with niche skill sets.
They were paying engineers with experience with SELinux and CDS developers nearly 500k the past few years.
Insanity
Tbf selinux tends to be a hell of a black box. Anytime my shit doesn’t work and I can’t explain why, I default to blaming selinux and hit up IT. Seems like I’m right about half the time lol
SELinux is super simple, you just gotta understand how the system works.
Once you understand the syntax and flow of SELinux policy then writing it is easy. Writing GOOD policy on the other hand …. Lmao.
Typically most IT departments “fix” it with
setenforce 0which is the equivalent of removing the seatbelt cuz you can’t figure out how to latch it.Android has one of the most “robust” applications of it but it doesn’t serve the purpose a good policy does, it does add a substantial layer of defense. Apple contracted my company to come out and teach them how to SELinux a few years back. Ultimately they (companies that desire SELinux as an added layer of defense) tend to just pay “us” to do it instead lmao.
Correct me if I’m wrong but I do believe that’s the point. 😆 That understanding it is the hard part.
I love these people who are like “no no, X is easy, because I understand it.”
If course you think it’s easy — you understand it already…
What I am saying is that it looks significantly more daunting then it truly is, once you understand the basic concept of it (which I’m positing is actually fairly simple) the rest follows easily.
Specifically here though I mean SELinux is “simple” if you understand how Linux works and operates, as you’re constraining syscalls and access
I think as a developer I just have no idea what policies are applied, so it’s just “somethings fucky here” all the time. Maybe an organizational issue :)
It’s open source - literally the opposite of black box.
You’re talking implementation. I’m talking practice.
Yes, selinux is open source, I can look up the documentation, etc.
But since I’m not IT it isn’t my job to manage selinux - from my perspective it’s just something that rears it’s head when there’s a policy I didn’t know about that interferes with me running my stuff.
So from the perspective of it not justifying Inflated wages, you’re probably right? Anyone can learn it. But in my experience few developers do.