Manjaro, why you have no SELinux ?

I absolutely love Manjaro and Arch. I love how modular it is, and most of all I love the community especially the community over here. Everyone here has been really patient with my dumb questions and helped me a lot to learn more.

But it breaks my heart that I will probably have to go with Fedora since SELinux is enabled by default.

Comparing Apparmor to SELinux many admins will swear by SELinux.

So why did Manjaro not keep an option for SELinux ?

I know there are hardended kernels out there, but people keep saying that if you really want SELinux you are better off with Fedora.

My main question is that if the policies of SELinux are not there yet, why can't Manjaro just "copy" the policies from Fedora or CentOS ? I mean its open source so why not just use them ?

Again, I don't mean this as criticism but a desperate plea for a feature request.

Thanks in advance.


Read the linked topics ... :slight_smile:

2 Likes

TL;DR:

This will never happen...

The long version:

Manjaro is a forward-looking Distro:

  • Rolling release,
  • Release Candidate Kernels,
  • Latest packages,
  • systemd
  • AppArmor
  • ...

From the comparison between SELinux and AppArmor:

Because AppArmor and SELinux differ radically from one another, they form distinct alternatives for software control. Whereas SELinux re-invents certain concepts to provide access to a more expressive set of policy choices, AppArmor was designed to be simple by extending the same administrative semantics used for DAC up to the mandatory access control level.

Sorry! :sob:

2 Likes

SELinux is not something you keep, it's something you build. Manjaro maintains much larger number of kernels than Fedora. Maintaining SELinux for all of them would require much resources. Also, security policies would need to be maintained.

SELinux is great for its intended use, but I'm not convinced that it is something that the average manjaro user needs or wants. The extra security it brings comes with the cost of more difficult tinkering and steeper learning curve.

So, while SELinux is great, it is not included in Manjaro because we focus our resources elsewhere and because it is not ideal for our target audience.

10 Likes

This is a great answer. The reality is if you try to be good at everything you just kinda don't really end up all that good at anything.

4 Likes

Well if you want to get rid of the learning curve why don't you use the Grsecurity/Dapper Kernel patchsets ?

I mean they don't have any learning for the user but would go a long way in terms of security.

Well I don't get why

a forward-looking Distro

can't have SELinux. I mean that would imply that Fedora/CentOS is not "forward looking".

No - it won't. Security is something you enforce - which is why Fedora has it as Fedora is the guinea pig for Red Hat Enterprise.

Manjaro do not enforce any given security scheme onto it's end users. With Manjaro security is something you implement if you feel the need for it.

And bear in mind - security is as good as the end user - if the end user is ignorant then security is worthless.

Note: Ignorance is not the lack of knowledge but the refusal to gain it.

4 Likes

I forget the person's name and the company he owned and ran, but said company provided computer security to large Fortune 500 Corporations and quite a number much smaller businesses as well.

Anyway he produced a mailing list and on his website describing the many errors both companies and PC users often make when handling their security and dealing with Black Hat Hackers and Script Kiddies and of course Malware.

A sort of Law he created basically states: The higher lever of inconvenience placed on Users, the less likely that they are going to fully comply with Strict Security Rules.

1 Like

Here is what I don't understand. If you are not enforcing security by default then why do linux fanboys keep saying that Linux is more secure than Windows ?

I mean if both Linux and Windows don't enforce any security on the end user won't that make them the same in terms of security ?

So in that case, Linux is "more secure" than Windows would be an inaccurate statement wouldn't it ?

Because Windows is actively targeted while Linux has next to no hackers bothering with it. Additionally, threats written for Windows will not work on Linux due to the way it is coded more robustly with regards user account policies. If you really need to ask the difference, the topic has been covered comprehensively a number of times by the linux experts contributing to ars technica etc.

Smells like a homework assistance topic to me.

I prefer the lack of SE Linux because it has an impact on overall performance and is not really needed for desktop computers outside of a corporate environment. SE Linux has a place for businesses and servers. It's used just as much to restrict what the end user can do with a machine as a foreign agent intent on stealing data or causing harm remotely.

2 Likes

Even without enforcing security - Linux is per-design secure - it is per design network aware.

This is seen when you handle the system.

A user can do anything they want within their own playground. If they want to execute a ransomware the ransomware is fenced within the users permissions and cannot affect the overall system.

If the user is ignorant and insist on running the ransomware as root - by all means - it you have superuser or root access - it's your system - spoil it - we won't stand in your way.

This is different for enterprise systems where users often are allowed access to or are required to have access to server resources - in which case enterprise systems is enforcing e.g. SELinux or AppArmor.

No. If a user is ignorant - it doesn't matter if it is Windows or Linux or any other system for that matter.

Do you jailbreak your phone? Have you considered it? That is because Apple, Microsoft, Google are enforcing security - restricting what users are allowed to do.

I have been a sysadmin since 1996 (freelance with several clients) - they all hated when I talked security - I had to make them sign agreements to take the responsibility - if something went south due to security breaches - I was not to blame.

I am/was Microsoft Certified Professional with network and system administration as my field of expertise. I am by no means an authority but very experienced - I have never had any incidents with my own systems - but I have had so many first responses to small companies without a security policy - saving their shiny bald heads.

A system is only secure if the user is security minded using common sense

5 Likes

Nope. A simple Google search will help you here.

So, if you're not as you say "Linux fanboy," and you don't understand this. . . Why are you even here? You're responses are putting you pretty close to troll territory. If these are questions you're asking now, why don't you just run Windows?

3 Likes

There's also some cross-over with Wayland and increasingly default policies for KDE Plasma now restricting which actions can be done and which files can be modified from within the GUI by users to prevent breakages by idiocy.

1 Like

Because on Windows it takes an email / download / ... to be infected and on Linux it takes a:

git clone https://Maffia.IT/RansomWare/
cd RansomWare
nano PKGBUILD
make RansomWare
sudo ./RansomWare.o --Encrypt

N00bs won't be able to do this and experienced users will know not to do this, so yes: Linux is "Malware free" for a specific definition of "free".

Yes I know: Amazon still monitors all your tracks even under Linux, but that's why no one is running the Amazon app under Linux.
Yes I know: Amazon isn't the only one...

1 Like

Yes this is exactly what I am trying to get at. By no means want to take a dump on Linux. But I am genuinely confused as what people mean by "Linux is more secure than Windows".

Please note I mean Windows 10. Not Win8.1 or Win 7, though I am running Win8.1 for 5 years without any intrusions.

When people say Linux is more secure, it honestly sounds like snake oil to me, hence I am always trying to understand exactly in what aspects is it secure. Again, comparing Win 10 btw.

You yourself say that if the user is stupid then security doesn't matter, then how does this whole argument hold up ?

So you mean to say that in Windows if a user infects their own system it affects the entire enterprise ? And in Linux this is not the case right ?

Am I understanding this is what you wanted to say ?

potentially yes this is entirely possible. In linux it isn't.

And I seem to have hit a nerve and blown up this discussion. Well going forward, "Linux fanboy" seems inappropriate and will use a more generic term like "most people".

As to your question why I am here is because I am desperately looking for some proof when people ask me as to why "linux is more secure than Windows", and I tell them to go a Google search and they come and tell me they are not impressed.

Windows security was bad, but its getting better day by day. The new Windows 10 has a builtin sandbox feature and other improvements.

Why is that I can't a simple discussion on this topic with anyone in the community without telling me this ? Why is everyone so defensive ?

So the only reason Linux is more secure is because hackers don't care about it ?

No just the effect of too much free time, since I am working from home.

So don't you think that has a place in normal Linux desktops ?

Not sure, I sell and support machines running Redmond products still so have no favouritism either way. The fact is Linux is still more secure at present and windows takes a lot of locking down via group policy editor to come anywhere close.

1 Like

Forum kindly sponsored by