• SELinux missing in Antergos


    Hello
    Can anyone give me a good reason why Antergos and Arch come without SELinux enabled?

    I read here that everyone should choose a distro with it enabled. I am sure that no everyone would agree to that though.

    As far as I understand this is something in the kernel and we can’t just install and run it.

  • @amilopowers said in SELinux missing in Antergos:

    Can anyone give me a good reason why Antergos and Arch come without SELinux enabled?

    Try to use a distro with SELinux preinstalled and enabled by default. For example, Fedora. SELinux alerts pop up every two or three minutes. When a computer is booted up, when an Internet connection is established, when a file manager is opened, when a document is opened, when a not statically mounted partition is accessed, when an Internet browser is launched, when a site is accessed, thankfully, not when a computer is powered off.

    Yes, opening a document may be dangerous. Do not open a document. Yes, visiting an Internet site may be dangerous. Do not visit Internet sites. Yes, an Internet browser may be dangerous. Do not use Internet browsers. Do not use Internet at all. Yes, accessing other partitions on your disks may be dangerous. Do not read anything from your disks. Yes, powering a computer on may be dangerous. Do not power on a computer. Do not use a computer.

    There’s no time for a normal use of a computer. All time is spent to close endless SELinux pop up windows.

    As far as you proceed the number of SELinux alerts decreases. They are usually completely disapper in a week or two. Even from Fedora. It’s up to a user to decide how rigid SELinux should be.

    SELinux doesn’t come with pre-established alerts level. By default, it alerts about all possible threats. It’s up to a user to decide which ones are real and which ones are useless distructing alerts.

    SELinux is yet another Red Hat’s monster, similar to pulseaudio and systemd viruses.

    Regards

  • Try to use a distro with SELinux preinstalled and enabled by default. For example, Fedora. SELinux alerts pop up every two or three minutes. When a computer is booted up, when an Internet connection is established, when a file manager is opened, when a document is opened, when a not statically mounted partition is accessed, when an Internet browser is launched, when a site is accessed, thankfully, not when a computer is powered off.

    This is entirely untrue at least for Fedora 22 to 25 when had been using it. SELinux prompts pop up maybe every to weeks or so.

    So still waiting for a legitimate answer.

  • In fact, you can install SELinux with a selinux enabled kernel (but it’s not an easy task):
    https://wiki.archlinux.org/index.php/SELinux

    But the real reason arch kernel is not SELinux “enabled” is here:
    https://lists.archlinux.org/pipermail/arch-general/2014-March/035638.html

    Enabling audit support causes an enormous performance hit for system calls by forcing the slow path to be used and spams the kernel logs.

    And every distribution configures for example Apache with slightly different directories and the rules need to take this into account, so the SELinux rules are specific for Fedora and can not be easily reused for Arch.

    If you do not want to write rules yourself, but want to increase security on your Arch, you can use the linux-grsec kernel package. It provides a hardened kernel and a MAC Framework with a learning mode:
    https://wiki.archlinux.org/index.php/Grsec

    Cheers!

  • @amilopowers said in SELinux missing in Antergos:

    This is entirely untrue at least for Fedora 22 to 25…

    I currently test Fedora 26 Beta. It may explain an elevated number of alerts in it.

Posts 5Views 212
Log in to reply