Thread 107068658

Multiple fa/g/s told me I don't need SELinux and it's overkill for home usage and casual users. Okay... even Android has SELinux, whats your point?

Don't download and run viruses and you won't need it.
Simple as.

>>107068682
This.
You have to actively try to get a virus on Linux to get infected.

>>107069059
>>107068682
Just let any application freely read, write and delete your home directory then. Just let any app have full networking. Okay.

>>107069072
As I said, you'd be actively looking to get fucked.

Use case for security?

>>107069083
Maybe you don't need an application having full access to everything.

>>107068682
You put sage in the options field.

>>107069072
you should trust every application on your device. running software you don't trust and then trying to limit what it can do is the wrong approach

>>107069114
>you should trust every application on your device
The complete retards guide to computer security.

>>107069114
But what if you don't want a video player using the network? I don't want something sending file names to retrieve album artwork. I have that all done myself.

>>107069124
>But what if you don't want a video player using the network?
use software that does not contain that feature

You never know when some tranny is push a commit with malicious code. It is better to be safe than sorry. All it takes is running the wrong thing once and it's over, it doesn't matter if you never do it 99.99% of the time

>>107068682
fpbp

>>107069203
This. Just look at the shit that goes on in AUR.

SELinux is an NSA backdoor

>>107069221
Don't try to argue with these people here. They don't want to understand.

If you understand what SELinux is and does, you end up realizing that any Distro that doesn't do all the tedious work to setup SELinux correctly for you shouldn't be used for anything but tinkering.

>>107068658 (OP)
Android uses SELinux as a replacement for Unix permissions. You have literally no local security on Android without it. Totally different proposition from RedHat where it's just an augment.

I need selinux AND immutable os so that everything runs in a little read only container.

>>107072330
Secureblue

>>107069203
>You never know when some tranny is push a commit with malicious code
sadly, this

>>107069203
how does selinux make a difference? if the kernel is compromised, it can do everything. But of course you are probably just talking about packages (.
selinux feels like it has benefits, but I only see any good examples.
for example I asked AI what's the difference between unix permissions and selinux, and it said that selinux would prevent an application such as a browser from accessing other files it shouldn't be allowed to, which might be true as a contrived example, but that's what apparmor already does, and then making a prompt of selinux vs apparmor AI says selinux is better because it has "Multi-Level Security" whatever that means, I tried to see if there are any real world examples but after 2 minutes of only seeing AI sites I gave up.
Probably some multi-user Windows style ACL thing, and I bet selinux has stuff that's beneficial to servers (something with containers that apparmor technically supports but the redhat article won't specify exactly what's wrong with apparmor for containers?).
Also I just disable apparmor because it had issues with GPU passthrough, not sure if I disabled apparmor for my whole PC or just Qemu.

>>107073767
MAC frameworks model program execution flow so compromised programs can't do much that the normal program doesn't do already. It prevents the compromised Bluetooth service on your unsupported chinkphone from being leveraged into root. SELinux, AppArmor, and Windows WDAC / WIC are all MAC frameworks. AppArmor is dramatically less effective SELinux for when you know you're not hiring people smart enough to make SELinux policy. ACLs are unrelated.

It's different from containers and VMs in that you don't have to worry about moving things to / from host context or loading redundant code.

>>107074069
Sorry, you are correct that ACL's are unrelated.
But looking deeper into selinux all I see is that containers are the only sane way of taming applications and selinux is can handle containers better.
But the real question is, can I install Vscode / discord on fedora or whatever selinux OS and be protected in a container, and access my home directory?
Does it even install it in a container at all, or is it just for flatpacks or some obtuse sandbox that nobody wants to use.
And also, I see that selinux is better for containers because "With AppArmor, it’s not possible to keep separation between containers." But I can't tell if this is inside of the container, or if it's just the process AKA, the malicious code broke out of the container which is normally not supposed to happen (selinux is better, but it's hard for me to care, and I already know ubuntu won't store applications/appimages in containers, so I find it hard to think fedora / installing selinux would change anything).

>>107074554
Containers and MAC are generally not related.
>if it's just the process AKA, the malicious code broke out of the container which is normally not supposed to happen
Yeah that's pretty much the only case it comes into play. SELinux contextuality means it can make different rules depending on which container something came from. That's assuming you have SELinux rules for a container. Which is something you probably have to make for yourself.

>>107074554
>But the real question is, can I install Vscode / discord on fedora or whatever selinux OS and be protected in a container, and access my home directory?
Yes. I do this on Kinoite. It works fine.