SELinux is super simple, you just gotta understand how the system works.
Once you understand the syntax and flow of SELinux policy then writing it is easy. Writing GOOD policy on the other hand …. Lmao.
Typically most IT departments “fix” it with setenforce 0 which is the equivalent of removing the seatbelt cuz you can’t figure out how to latch it.
Android has one of the most “robust” applications of it but it doesn’t serve the purpose a good policy does, it does add a substantial layer of defense. Apple contracted my company to come out and teach them how to SELinux a few years back. Ultimately they (companies that desire SELinux as an added layer of defense) tend to just pay “us” to do it instead lmao.
What I am saying is that it looks significantly more daunting then it truly is, once you understand the basic concept of it (which I’m positing is actually fairly simple) the rest follows easily.
Specifically here though I mean SELinux is “simple” if you understand how Linux works and operates, as you’re constraining syscalls and access
I think as a developer I just have no idea what policies are applied, so it’s just “somethings fucky here” all the time. Maybe an organizational issue :)
SELinux is super simple, you just gotta understand how the system works.
Once you understand the syntax and flow of SELinux policy then writing it is easy. Writing GOOD policy on the other hand …. Lmao.
Typically most IT departments “fix” it with
setenforce 0which is the equivalent of removing the seatbelt cuz you can’t figure out how to latch it.Android has one of the most “robust” applications of it but it doesn’t serve the purpose a good policy does, it does add a substantial layer of defense. Apple contracted my company to come out and teach them how to SELinux a few years back. Ultimately they (companies that desire SELinux as an added layer of defense) tend to just pay “us” to do it instead lmao.
Correct me if I’m wrong but I do believe that’s the point. 😆 That understanding it is the hard part.
I love these people who are like “no no, X is easy, because I understand it.”
If course you think it’s easy — you understand it already…
What I am saying is that it looks significantly more daunting then it truly is, once you understand the basic concept of it (which I’m positing is actually fairly simple) the rest follows easily.
Specifically here though I mean SELinux is “simple” if you understand how Linux works and operates, as you’re constraining syscalls and access
I think as a developer I just have no idea what policies are applied, so it’s just “somethings fucky here” all the time. Maybe an organizational issue :)