undefined | Better HN

0 pointsXorNot1y ago0 comments

It's baffling to me that SELinux's UI is like...the best we can apparently do?

The underlying concepts of SELinux aren't so hard but trying to manage it in any sort of coherent way is a nightmare - up to and including the provisions in it for a network based policy server component which just never appeared.

And it sucks! In theory it does so many things we really really want, and should do more. Like I as a user have a great interest in ensuring my home directory files follow sensible markings based on their content - my SSH keys, AWS keys, or banking files all exist in different logical zones of control.

And this is a concept SELinux can handle...but the tools are just so bad at surfacing it.

0 comments

mike_hearn1y ago

It's not. The (undocumented!) SBPL that Apple OS' use is easier to understand and debug than selinux, in my experience.

giancarlostoro1y ago

Reminds me of git itself, you read about its internals it sounds easy. You start trying to figure out how to map commands in a way that makes sense, it baffles you when things break.

TheRealPomax1y ago

Why would the NSA want to make something easy to use for others?

Gud1y ago

Why wouldn't they?

gizmo6861y ago

Because that's not their job. The NSA sponsored the development of SELinux because they needed something to solve their problems. The current state of SELinux does that. Why would they spend resources solving problems that they don't have.

1 more reply

TheRealPomax1y ago

Kind of a weird counter-question? Why would any business spend more effort on building a tool than is necessary to make the tool they need? The NSA doesn't care about brownie points.

throwaway8943451y ago

I haven’t touched SELinux. How does it compare to Systemd (presently my standard for “ubiquitous despite terrible UX”).

j / k navigate · click thread line to collapse

0 comments

mike_hearn1y ago

It's not. The (undocumented!) SBPL that Apple OS' use is easier to understand and debug than selinux, in my experience.

giancarlostoro1y ago

Reminds me of git itself, you read about its internals it sounds easy. You start trying to figure out how to map commands in a way that makes sense, it baffles you when things break.

TheRealPomax1y ago

Why would the NSA want to make something easy to use for others?

Gud1y ago

Why wouldn't they?

gizmo6861y ago

1 more reply

TheRealPomax1y ago

Kind of a weird counter-question? Why would any business spend more effort on building a tool than is necessary to make the tool they need? The NSA doesn't care about brownie points.

throwaway8943451y ago

I haven’t touched SELinux. How does it compare to Systemd (presently my standard for “ubiquitous despite terrible UX”).

j / k navigate · click thread line to collapse