Fedora Considering a Big Change to SELinux

By Jack Wallen

Fedora developers planning to drop SELinux runtime disabling in an upcoming release.

Security Enhanced Linux (SELinux) is a security module, within the Linux kernel, that provides the necessary mechanisms for supporting access control security policies. With SELinux in place, your Linux distributions are more secure.
But with SELinux comes some headaches. In certain cases, it prevents applications from running properly or servers from being available to clients. Many times, when SELinux gets in the way, developers might opt to disable SELinux at run time, using the selinux=0 option within /etc/selinux/config. What this does is completely disable SELinux.

The Fedora developers are considering doing away with that option altogether for the 34th iteration of the platform. Why? First and foremost, it's a security issue. Without SELinux protecting your machines, they are more vulnerable. Second, the option has been deprecated in the upstream kernel.

For those that think this is going to cause serious problems, fear not. Users will still be able to switch SELinux between "permissive" and "enforcing" modes using setenforce. By doing this, SELinux will not block anything and will log all policy violations. However, it should be noted that setting SELinux to "permissive" is often seen as disabling the feature, so users should proceed with caution.

Because of this upcoming change, Fedora users and admins will need to become a bit more informed about SELinux, in order to properly troubleshoot issues.

For more information, check out the Fedora Wiki entry on the feature.