Best title for a post: Why I hate SELinux

Why I hate SELinux is a terrific post with more than just the best title I’ve seen in a long time.

So the guy creates and permissions a home directory manually and then associates an account with it. Then he tries logging in over ssh and gets this error:

Could not chdir to home directory /home/russell: Permission denied

The next bit from the post would be funny if it wasn’t something I’ve experienced myself:

After way too much time screwing with this, I remembered that selinux is implemented as a security level on top of the file permissions. I changed the current selinux enforcing mode to “Permissive” and suddenly it started working. I could login without getting that error.

If you really want to delve into the details of the “right way” to fix the problem, go read the post. After, what, a decade of SELinux, the following paragraph really nails it for me:

What is so insidious about this is that because most applications arn’t selinux aware (like apparently bash), they give error messages that are exactly the same as the error messages they would give for traditional file permission problems. This gives the error’s recipient no clue where to look for the problem.

The basic problem with the way SELinux was implemented is that they made no provision for even semi-intelligent error messaging to go along with the one-size-fits-all default clamp of death that Mandatory Access Controls (MAC) get over the entire system. Over in the alternate universes that are Ubuntu and SuSE I’ve seem similar issues with AppArmor.

I’m in agreement with the author of the post that I like the concept of MAC, but find the way it has been implemented to be the biggest impediment to its adoption — even in the enterprise where we tend to have more patience for kludgey solutions.