I dream of the day this page ranks on the first page of google search results page. Maybe then those in positions of linux power will spare us of the pain that is selinux.


Every time I come across selinux, I get puzzled by how this piece of oddity got its way into the mainstream linux distributions. The feeling I get is exactly the same as I got when I saw Tori Spelling in 90210 thinking she doesn't belong in this show, and then I found out her father was the producer. SE Linux is the same! About the only thing I hear talked about when it comes to SE Linux is how to get rid of it, and yet it seems to get deeper entrenched in every linux release. I'm guessing selinux is the brainchild of some linux bigwig who wards off any attempt to have it removed from mainstream use.

I am sure the idea behind SELinux is noble, but pushing it down everyone's throat is like passing a law that requires everyone to have airport-security in their home where they need to get checked before they get into their car or go into a different room, and that the only way to remove it is to put it into "permissive" mode where you still have to deal with the guards and their screening equipment every time you move about your home but they don't ask you who you are unless some arcane rule only they know about kicks in! And they will only leave after they search through every molecule in your house (SELinux relabing anyone?)

I am sure SELinux is great, but it's great like chemotherapy is great. It is needed somewhere and it's a blessing when it's needed but if I don't need to deal with it then I don't want it in my life.

Ever since selinux first came out, the only thing I remember wanting to do is to stop it, disable it, get around it, shut it down, delete it, inactivate it, or passify it. But every time it keeps coming back with a vengeance. I have probably wasted a month of my life over the past years dealing with some complication caused by selinux and god knows I want no part of it.

You're probably wondering how I have found the time to start this website and write this content. The truth is I started upgrading my fedora core 16 to 17 which I expected to take about an hour. That was 10 hours ago! It turns out that as part of installing the new rpms, the cleanup phase of selinux-policy-targeted relabels every file in the system, and selinux has been working on relabling 5 terabytes of data since about 30 minutes into the upgrade process. The kicker is that I have no idea how long this is going to take, and I don't dare stop the upgrade. All I can do is to sit here and wait. It might take another 5 days but I just don't know! Anyone working on selinux who thinks this is acceptable is out of touch with reality. Any installation process that is exponentially time consuming and that gets started without being explicitly requested by the operator is unacceptable.

Don't take me wrong. I have a lot of respect for people who conceived selinux and are working on implementing it. But I also have a lot of respect for DNA sequencing, and ornithology, and pottery. My examples might at first seem unrelated since you might argue I might need selinux for my server. But to mainstream installations, selinux and ornithology are at equal distance to what we need to be spending time on!

So here I am, at 4:30 in the morning, waiting for selinux to relabel my drives. I have no idea how long it is going to take and I can't stop it. And this is a production server. I am sure some selinux genius would know exactly what needs to be done right now, but I don't, and I have no interest in learning that bit of knowledge since I don't want selinux. The only reason I might want to learn that piece of knowledge is to expand on my skillset on removing selinux. And btw, google has no hints on what I need to do right now.

To anyone who wants to trivialize my pain by saying I don't know enough about selinux and how good it is to be able to benefit from it, I must say I know enough about selinux to know I don't want it.

I'd like to start a campaign to have selinux removed as a standard part of linux distributions so that it can be added if and only if the person installing the OS knows with absolute confidence that he wants selinux.

