Hacker News new | past | comments | ask | show | jobs | submit login

And from my experience, most admins turn it off immediately rather than rewriting security policies so that Apache can access data outside of /var/www/, etc. Sure you could modify the policy, but it's enough of a hassle that no one I know has ever done it.

Restrictive security that just gets in people's way is terrible security. Just like forcing people to change their password every 14 days results in people using the same password repeatedly and incrementing a digit on the end (or writing the password down and sticking it on their monitor), creating overly complex rules means that people who absolutely must deal with these things (or who have the time) do so, and everyone else just turns it off and forgets it ever existed.




I'm glad I'm not the only one that hates SELinux. I find its setup to be super complicated yet all it ends up doing is stuff that I can do anyway with native unix permissions. As best I can tell it's a completely parallel world that is just there in case you mess up your normal permissions.


You admit that you don't understand SELinux so could it be that you hate it because you don't understand it?

The fact is there are a lot of things that SELinux makes easier. In SELinux you have your services run in contexts and you can say what they can do (e.g. can listen on port 80 but not make outgoing connections, etc.). You no longer have this ridiculous need to run as one user (root) and switch to another.

Unix security is so simple that, for my tastes, it's actually more complex to set up securely than SELinux. If you use a distro that supports it SELinux is drop dead simple anyway.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: