SELinux yes or no for desktop use?

I am now trying our Rocky Linux 9 on my laptop that I use both for work and home desktop use (most often I use Linux Mint at home but wanted to use a RHEL-family Linux now instead).

Right after the installation, at first the laptop felt pretty much unusable. It seemed to get stuck constantly, e.g. right-click on links in Firefox didn’t work, a mere “ifconfig” got jammed and didn’t give any output, I couldn’t change the hostname with “sudo hostnamectl set-hostname” but it just gave an error, “reboot” got stuck etc.

I was already starting to think either my laptop is dying or it is just incompatible with Linux in general or the RHEL family… but then I remembered SELinux and wondered if it could affect this. Bingo, after setting SELinux to permissive, all those issues seemed to go away.

I realize RedHat urges server admins to just bite the bullet and learn to configure SELinux, instead of disabling it or even setting to permissive mode… but is it really worth it for desktop use, and really mainly needed for running critical corporate web servers and such which have open services and ports to the world?

Let’s say you decide to install e.g. Steam and run some Steam Linux games… is it a pipedream to try to get them to work with SELinux?

I run Fedora as my primary desktop. This includes steam and various other applications/games outside of steam. I leave selinux enabled and generally have no issues. It should be similar enough on the Enterprise Linux family and leaving it enabled will always be the way forward and what’s supported.

There should be no reason that after a default installation of Rocky Linux that selinux is causing you issues. You would see notices/alerts on your desktop about it. You may want to leave it enabled, run touch /.autorelabel and reboot to be sure that your system is labeled correctly.

As an aside: ifconfig is also obsolete. You should be using the ip command instead (e.g., ip a).

That’s the thing that surprised me, that I had such big issues with a fresh Rocky 9 installation, seemingly due to SELinux. I am not quite sure why I had those issues, but setting selinux to permissive mode seemed to clear the problems for some reason.

Maybe I’ll try to enable it again and do relabeling as you suggest, as I would certainly like to learn more about configuring it, in case I need to do that for some RHEL servers at some point etc.

I run Rocky LInux on my desktop, my wife’s desktop, my laptops, my wife’s laptop and have no issues at all. I do use the Mate desktop on everything and not Gnome, though.

1 Like

Ok so my problems with a vanilla installation were probably somewhere else, even if setting selinux to permissive seemed to mitigate them. I am sometimes seeing e.g. “CPU soft lockup” errors e.g. during shutdown or restart, googling for it suggests millions of possible root causes for it starting from memory errors, up to full hard drives, but they did seem to go away too when I changed selinux to permissive…

I did the autorelabel thing once and at that point selinux=enforcing didn’t seem to cause much of problem.

However, I am still dabbling with this installation (it is actually a Windows 11 + Linux dualboot on my laptop, the Windows 11 will be reserved only for work) and haven’t fully made up my mind which Linux.

In the long run I’d probably want to keep selinux=enforcing simply to learn more about configuring it, to get more comfortable using it especially if some of our clients want to use it on their RHEL family servers etc.

I’d prefer Rocky Linux 9 as its support lasts well beyond the life-expentancy of this laptop so I will never have to care about doing a release upgrade or replacing the installation. Other options are Linux Mint (which I primarily use at my home PCs, along with Windows, but the current Mint support lasts “only” to 2027), and maybe Manjaro due to its rolling release model (ie. basically the same benefit as RHEL/Rocky, don’t have to do release upgrades even years from now).

There is a very clear (IMO) article on troubleshooting SELinux on the CentOS wiki.
https://wiki.centos.org/HowTos/SELinux#Creating_Custom_SELinux_Policy_Modules_with_audit2allow

That goes to a section of the article, but if you go to the top of the page, the whole article is worth a read.

1 Like

Thanks for this. I’m hitting SELinux alerts from a Zoom install. I’m guessing its a false positive, but you never know.

You’re more than welcome, the credit goes to Phill Perry of ELRepo (also known as Ned Slider) who wrote it. (Phil, if you’re on these forums, Hi!)

Just to confirm that apparently my original problem (Rocky becoming unresponsive etc.) was not related to SELinux at all, but my USB hub causing CPU soft lockups, for which I started another thread.

So yeah I am happily using selinux = enforcing at the moment.

2 Likes