SELinux: a must have?

Hi guys and gals, hope you’re having a good one. I wanted to ask for a question that’s been bothering me for some time now. Over the past two years or so I’ve been using Arch Linux and it’s been really good, I haven’t had any major issues and it has made me learn some things about how the OS works and its configured.

The thing is that, even though I perceive that there’s some consensus that Linux overall is more private than other operating systems available. Security, however, it’s another story, and it seems to me that if security is lacking, then privacy could be compromised in some form.

That’s why I wanted to ask, from a pragmatic point of view: using another distro, such as Opensuse Tumbleweed or Fedora, which have SELinux preconfigured (and with sane defaults, I guess), could improve the security of the OS moderately or significantly? Currently I don’t even use Apparmor due to how much of a headache it is to configure any MAC system at all, but I understand how they are important.

Thanks in advance!

I think this would depend on your threat model and what level of security is going to be satisfactory for you.

For most, full disk LUKS encryption + using Cryptomator for or with your cloud storage needs is more than enough.

But I am more than not an average desktop Linux user and don’t do too much on my PC for me to ask the questions your asking when I already have LUKS & Cryptomator set up.

Yeah, I’d agree FDE and encryption for various files is probably more than enough for most people because it addresses plenty of risks. I was just wondering, as if to minimize hypothetical (although probably infrequent to rare) threats that could happen sporadically and how some solution as SELinux could prove beneficial.

I also guess a case could be made in that being aware of the sources that the user chooses to download/install programs and setting a firewall could have a more significant impact for the regular user.

I used Apparmor.d to configure and keep the profiles updated.

I’ve heard of these profiles a long time ago, but didn’t tried them because at the time they seemed to be out of my comprehension. I’d like to ask, how’d you describe your experience using them?

Hmm, pretty hassle free. Install the profiles from the AUR, load the profiles in complain mode, enforce based on your use, keep updating the profiles via AUR, done.

I’m no expert but SELinux seems to be the preferred. It’s used by Android/GrapheneOS which adds to its reputation. I think it’s also one reason why Fedora gets an endorsement from Privacy Guides, I’ve even heard some cybersecurity influencers say Fedora has a great out of the box configuration for it.

I cannot speak on the quality of app armour, but I hear more people singing the praise of SELinux.

SELinux has more granular permissions, but that also makes it more difficult to scaleably create and maintain policies (across an entire Linux distribution), so AppArmor is used as a simpler configuration solution.

Full disk encryption is only useful against theft/data recovery, it does nothing against exploits or malware.

If you want more security on Linux check Secureblue which has hardened malloc and a bunch of other security enhancements.

As someone who has written quite some Selinux policies for RHEL/Fedora-based systems, I can tell you that their base policy is terribly lax for desktop use. User processes run unconfined by-default, most system processes run in their own domain, but some of these are quasi-unconfined or very lax, too. Their labeling is not fine-grained at all, which gets in your way, if you actually want to write fine-grained policy modules. It’s better than nothing, but not comparable to Android’s fine grained policy at all, which actually would be a massive security improvement.

I would recommend to learn how to deal with Apparmor instead, which is much easier to understand and write policies than with Selinux. You can use https://apparmor.pujol.io as a starting point with many profiles. It won’t be completely hassle-free, but it’s worth putting time into it. This would allow you to stick to Arch.

If you don’t want to invest any time into dealing with MAC at all, switch to Secureblue instead, which has only slight improvements to Fedora’s Selinux policy at the moment, but other security improvements.

If your top priority is using GNU/Linux and your second priority is security, then SecureBlue is the best fit for you.

secureblue.dev

For a brief second I confused your title with SEL4/seL4 which IMO is an interesting project but not built for desktop. Redox OS (designed for desktop & server use) uses a microkernel architecture inspired by sel4 but it’s still a WIP.

I’ve checked user reviews for Fedora + SELinux and it’s a mixed bag [1] [2] [3] [4].

Definitely. I used to be like most people, totally clueless about what SELinux does. I just looked up stuff on Reddit or Hackernews and take over basically uninformed opinions. Without MACs, systems are way easier to penetrate or exploit, and it’s not just a server thing. Let me try to explain it in simpler terms, although I’m not sure it’s a good analogy:

Imagine your operating system was the White House. Without MAC, you have basic restrictions.. doors for security areas/levels. You’ve got the president, his generals, his political staff, janitors, journalists, visitors, people who can’t enter at all, you know the drill. Certain groups can’t just go into certain areas protected by doors etc. But it’s not very sophisticated. Without MAC, the janitor might look through the general staff’s windows through the garden he takes care of, or the coffee lady starts following one of the Generals without him noticing.

With AppArmor, the restrictions get a lot tighter. AppArmor, but only if configured(like SELinux), dictates who can talk to whom, and names(!) of places they’re allowed to go or not, and it also takes protocols.

SELinux just takes it to another level. SELinux basically lets you control everything. Which room gets electricity from which supply, who can switch on/off which light in which room, which electric supply supplies which authority level, who’s allowed to enter which exact place or which exact type(!) of places, who’s allowed to use which exact objects (like a coffee machine) when and where for whom.. I hope you get the idea.

Physical attacks, malware, and stuff like that usually try to find weak spots in systems and a system with MAC protection makes those attacks way less likely or just less fatal. Honestly, I can’t take distributions seriously if they don’t bother setting up basic SELinux policies. It just shows they aren’t taking security seriously and think Linux is safe because Linux on desktop isn’t a big target atm due to Linux on desktops having such a small market share. Yeah, preconfigured policies of distributions like Fedora aren’t strict at all, but I reckon that’s because Linux on desktop is still trying to attract more users, and stricter policies could mess things up and make them harder to use. I think big ones like Fedora and OpenSUSE are going for immutable distributions and I’m sure once they get popular, SELinux policies will tighten up a lot.

Poor documentation & usability are the two common problems I see most users complain about it. But I agree with you that turning it off for good should not be a long-term solution.

Thanks for the insight, it’s pretty interesting as well coming from someone that has dealt with SELinux policies, I can’t imagine how tough it really is. As for what I’m getting from the comments so far, at least for my use case and threat model, SELinux is not something I should lose my sleep over (though it’s certainly a fine addition).

I guess for the time being I’ll try setting Apparmor up with the help of Apparmor.d, since I don’t want to make perfect enemy of good and as far as the answers of everyone else in the thread (which I’m very thankful for to y’all), it’s better than not having any MAC whatsoever. Plus it’d make an interesting experience learning how it behaves and works on the system.

I’ll report later down the line to summarize my experience so far with Apparmor. Thanks a lot to everyone, I appreciate the support!