Title.
It’s an unnecessary layer of complexity. I am the only user of my personal laptop. I don’t need fine-grained permissions. Linux users and groups are enough for any permission needs I might have, like docker group, audio and video groups, etc. I don’t have any “classified” documents on my computer. My home directory and root are on different disks. I can easily format and reinstall my system if something goes wrong and keep all my personal data.
You don’t have classified documents, but you probably use bank in your browser running as your user. Maybe you use local mail program to send emails, also running as your user. A simple malware could add emails to be send asking your family to send you some money through online service.
And that’s easily done because the only isolation layer is user and group.
I really don’t see how anyone can install malware on my computer. I know my way around computers enough to not do anything dumb. Of course if someone wanted, they would be able to hack my device, probably. But I am not a high value target and it would be a waste of their time and effort. In short, that’s a risk I am willing to take :)
Having your home directory on a different disk is something that could’ve saved me a lot of headache. Can’t believe I didn’t think of that.
If you’re mandated or regulated to implement MLS or MAC etc, SELinux is a security control that enables you to comply through expanded and expressive policy controls.
When I hear dislike for it, it’s usually because people are using SELinux as a “make my personal computer safer” tool rather than the “we’ve hundreds of thousands of differently classified sensitive documents and thousands of employees with different clearances”.
MAC/DAC/MLS isn’t designed for personal computing and if you think SELinux is the solution you personally need, you might need to reevaluate your threat model (as any external actor will seek to bypass kernel controls entirely e.g. CVE-2025-0078).
For 2 years, I had to set up production environments on RHEL, mostly Apache and Keycloak servers. I had a limited, very specific list of sudo permissions, and I had to ask very specifically what I else needed, which was then granted by people who neither knew nor cared what I was working on.
SELinux permission problems were always the fallback reason when nothing else made sense. With my permissions, I could not just straight up check for it. E. g. Apache would not server a folder, cryptic error -> check file permissions -> check general Apache config problems -> assume SELinux permission is missing and request it, supplying the exact command they need to type.
Excessive for my threat model, one more thing which could break something (even if by no fault of its own).
I like it as a concept, but many of my devices don’t use it.
After switching between distros for 8+ years and settling on Fedora KDE, I don’t think I’ve ever had SELinux get in my way for anything.
It’s a pain in the ass when you want to run a web server on your PC. You have to disable SELINUX else the damn thing won’t let me modify html pages and show the updates. Everything is just frozen from making any changes. That said, it’s probably easier to do web development another way, my method is nearly two decades obsolete. SELINUX really pissed me off though. I wanted to test forum software on my PC once, and SELINUX was blocking me and I couldn’t figure it out for ages.
Never used it, but i think that’s also because it doesn’t work on distros without systemd. So i guess that’s a reason to dislike it?
