SELinux, why is it disabled?

I am currently evaluating NethServer for use in our office. I’m quite impressed so far. :smiley:

It’s probably not a deal breaker for us but why is SELinux disabled? I saw that it was changed from permissive, apparently because it was too noisy, but I can’t find any information on why it wasn’t left enabled in the first place. Surprisingly, no one else seems to have asked. I know that it can be a PITA but we’ve managed to tame it in our data centres wherever necessary and NethServer is one place you’d want it enabled more than any other. CentOS has it enabled by default so was something not playing ball?


good question, I have not the answer, it is also disabled for SME Server. @davidep has maybe some answers.

This is the short answer :joy_cat:

In ns6 it was in permissive mode. We thought one day it would become enforcing. Meanwhile the only thing it did was filling the audit log.

Turning it to enforcing would be wonderful but it is a big development effort. Many howtos out there start with “disable selinux”. Sometimes upstream packages have problems with selinux policies.

We can add selinux to ns7, and release final in 2018 :rolling_eyes:

1 Like

I did it yesterday on my laptop, tired of the bridge which didn’t start :frowning: and many other problems relative on samba or printer…etc

1 Like

Haha, I appreciate your honesty.

Broadly speaking, official CentOS packages should work with SELinux under their default configurations. If not then it’s a bug. The same goes for Fedora, where I also keep SELinux enabled. If we go with NethServer, and it’s looking very likely that we will, then I’ll try to find time to put it in permissive mode and work out what needs to be done. It might not be much, one missing rule can make a lot of noise.

I lobbied behind the scenes to disable selinux, I apologize to @giacomo.
We want SELinux enabled, we ran in permissive mode to collect logs hoping to succeed in switching to enabled in a future release. But, honestly, we never find resources to work on it. So, I said “we have enough logs, let’s stop writing to disk” until we work on SELinux again.

I can provide you old logs from 6.7 or you could enable again selinux on 7. Revert this: