Bonum Certa Men Certa

SELinux is Security-Vulnerability-Enhanced Linux, Developed by NSA (Now With All References to the NSA Removed by IBM/Red Hat)

posted by Roy Schestowitz on Jan 18, 2024

Vintage soldier with coffee

Reprinted with permission from Ryan Farmer.

Latest Round of Xorg Vulnerabilities Added Recently and Some Don’t Work Without SELinux Turned On.

The latest round of Xorg (X11) vulnerabilities to be patched were added within the last several years.

Out of half a dozen, the oldest ones were added in 2006, but many in 2011, 2012, or 2014.

Many of the defects might have been added by Red Hat employees.

They don’t specify which revision added them, only the release, however, Red Hat likes to complain that they’ve had most of the maintenance burden of Xorg “for years now” whenever the topic of Wayland, which doesn’t really work productively, comes up and they have to read the “Xorg is a mess and we have to do something and this is something” spiel.

This is the company that tells us we need to use Wayland, and which is mainly responsible for Wayland, which breaks everything and makes my computer impossible to use productively until I run the X11 session.

Honestly, Wayland is so f***ed that it causes more graphical glitching, session crashes, and power management issues and other annoyances than X11, which were supposedly the list of reasons X11 had to go, plus it also has no concept of screen savers, so I can’t use XScreenSaver with it. I’ve written a lot about why Wayland is in no sense of the word ready.

Jamie Zawinski said he no longer maintains XScreenSaver for the practical reasons we used to use screen savers for (to prevent burn in, although LCD/LED panels can still burn in).

For years now, the “Environmental Protection Agency” (Employment Prevention Agency) has been a party-pooper requiring the screen to turn off regardless of what the user wanted, because we need MOAR POWER to charge Teslas which won’t charge when it’s cold outside, or something. Or to “SAVE THE PLANET!” because of the sheer arrogance that the people responsible for overpopulation and environmental destruction are going to save it if the computer uses three watts less.

I think the real policy issue with IBM/RH’s war on screen savers is that a world dominated by mega-corporations has no use for art, or a well-educated public, or people who can think for themselves to any meaningful degree.

I don’t even have bizarre hardware, and Wayland is a big shitpile. Intel was promoting Wayland heavily and it doesn’t even work quite right on Intel’s graphics chipsets.

The only thing Wayland accomplished (Mission Accomplished) was stop and make everyone reinvent the wheel to the point of not getting much else done, just so that their software would do what it already did, with implementation gaps that are “not in scope” and reimplementing the same feature in different code (with different quirks) depending on which compositing manager your desktop environment runs in.

Two of the security vulnerabilities (CVE-2024-0409: SELinux context corruption and CVE-2024-0408: SELinux unlabeled GLX PBuffer) don’t work at all unless the user is running with SELinux turned on, which Fedora and Red Hat Enterprise Linux do.

SELinux is such an ungainly mess that it’s hardly possible to understand, and Fedora bumps the selinux-policy all the time because it’s still managing to cause a lot of trouble even more than two decades in.

Now it is actually adding security problems through the “security” policy for the X Server.

A while back, SELinux was patched to remove references to the United States National Security Agency, which originally wrote it. The Agency likes to spy on the entire world and “accidentally” bulk-collect data about Americans, or “incidentally” collect it, and then look at the data, with only a secret court that basically only ever says yes to them supervising it.

Stephen Smalley updated his email address and "debranded" SELinux from "NSA SELinux" to simply "SELinux".  We've come a long way from the original NSA submission and I would consider SELinux a true community project at this point so removing the NSA branding just makes sense.
-Linux Kernel Mailing List

Ah yes, which community would that be? The Intelligence Community? IBM/Red Hat? Those are really the only people who have a lot of interest in SELinux. Most non-RH distributions don’t even have it or don’t even have any sort of “security modules” loaded by default, or use AppArmor.

I haven’t seen any evidence that there are major security problems that SELinux is saving real people from. It ticks a box, and in this case, it managed to make Xorg even worse just by being turned on. If IBM/RH cared about security, they wouldn’t be telling people to use RH in Microsoft Azure and AWS where the data breaches keep happening.

I’m just not sure this monthly panic about Xorg bugs is “organic”. Actually, it’s getting pretty Groundhog Day-ish.

I mean, the issues are being fixed. Lots of software has an old and complicated codebase that is difficult to understand and the source of constant bugs.

Also, some of the prior hysteria pointed out that some dated back into the 1980s and 1990s. (Windows routinely has security vulnerabilities this old and no big deal is usually made about them.)

By this example, we should delete Mozilla Firefox and even Linux itself because they too tick all those requirements for not being “secure”, or “modern” or something.

“Secure” and “Modern” are increasingly marketing buzz words, which translate to “Heinously bloated” and “under the control of someone else”, counter-respectively.

Typically, when someone starts throwing those words around to the point of abuse, I just start tuning out.

As always, patch your software. Nothing to see here.

Other Recent Techrights' Posts

Linux and the Freedom Paradox
Linux is losing freedom if some external actors who only use Microsoft tools for development wrest control
Watch the FSF Party Live (via Livestream)
It's in WebM format, which is widely supported by now
Advocacy of Software Freedom Changed, LUGs Became Less Relevant
The way we see it, support groups like LUGs sort of outlived their usefulness when it became easier to install GNU/Linux
For the Second Time in a Few Weeks Microsoft Lunduke Makes False Accusations Against Senior Red Hat Staff to Incite a Despicable 'Troll Army'
Nothing that Microsoft Lunduke claims or says can be trusted
Compromised by NVIDIA Proprietary Library
Meanwhile in Boston there are "[r]oundtable talk with FSF volunteers (both in-person and online)"
How Software Patents Were Viewed or Their General Status Changed Over Time
A rough summary
 
The Free Software Foundation's Livestream Has Ended, Video/s Might be Online Next
I've asked whether they'll upload video of some of the event; I still wait for an answer
The Register MS Does Not Know the Difference Between Microsoft GitHub and GitLab
At the time of writing (October 5) the article from "Thu 2 Oct 2025" remains uncorrected
"Bullshit Generators" (What RMS Calls LLMs) and Fake Images Already Target the FSF
Why does Google News promote fake articles about the FSF while omitting all the real ones?
Software Patents as a Bubble
Don't invest resources in hype; if you detect a bubble, run away from it
Links 05/10/2025: Political Leftovers, Climate Change, and Security Incidents
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, October 04, 2025
IRC logs for Saturday, October 04, 2025
When Microsoft "Integrates" Something With "AI" It Means It's Losing Money and Is Generally Hopeless
how did Bing fare after 36 months of LLM slop being hyped up as "replacement" for search?
Most Certificates Don't Improve Security, They Mostly Increase Downtime (for No Good Reason)
The 'Gemini sites' (capsules) are a growing force
The statCounter Site Has Data Integrity Problems
Maybe we'll get back to statCounter when its data becomes more "stable" again
10 Ways to Combat Software Patents
software patents are loathed also by proprietary software developers
"Just a Little Bit of Meat..."
Free software "absolutism" is not a radical stance, more so if the only "radical" belief the user possesses is that he or she must be in control of his or her software, and by extension his or her computer
Red Hat is Ignoring the Free Software Community, It's a "Fortune 1000" Vendor
Red Hat's blog also participates a lot in promoting of Wall Street's latest pump-and-dump "AI" scheme
Free Software Foundation Party Has Begun
We shall be focusing a lot on software patents today
Former Head of the Federal Trade Commission (FTC) Lina Khan Knows Whatever Microsoft Touches Will Die
Just like Skype (as recently as months ago) [...] When Microsoft grabs things, or when it buys things, it almost never ends well
Slopwatch: Fake Articles About LibreOffice in Austria and Wine 10.16
very short
Links 04/10/2025: "attempted Coup" Noted in Facebook, Russia Kills Journalists via Drones
Links for the day
Gemini Links 04/10/2025: Anesthesia and Baudpunk
Links for the day
Links 04/10/2025: "Privacy Harm Is Harm", Criticism Outlawed in US
Links for the day
Garmin Uses Linux for Some of the Garmin Products, Now It's Sued by Strava Using Software Patents
Software patents should never have been granted in the first place
Richard Stallman Will Give a Talk in Sweden in 6 Days
Dr. Stallman, despite his battle with cancer is still alive and mentally sharp
FSF Turns 40
We'll be focusing on patent-related topics this weekend
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, October 03, 2025
IRC logs for Friday, October 03, 2025
Gemini Links 04/10/2025: Distro Hopping and "Part Time"
Links for the day
We Are Turning 19 in One Month, FSF Turns 40 in 3 Hours (CET)
For our anniversary next month we still have no concrete plans
Patent Docs (or PatentDocs) Learned the Wrong Lessons From the Death of TypePad
Had they gone ahead with an SSG, they'd become a lot more future-proof
USPTO Patent Bubble Already Imploding, After Decades of Artificial Inflation, Entire Offices Close for Good
we can deduce that financial pressures (lack of "demand" for monopolies) play a role
TikTok is Not Harmless (Being CheeTok in the US Will Advance Orange Agenda)
Social control media isn't "fun and games"; it's a digital weapon that lets hostile groups or nations infiltrate others, then turn them against themselves
Andy Farnell and Helen Plews Explain What "Modern" Tech Does to Old People
Imposing terrible tech "religion" on people is not helping them
Tomorrow the Free Software Foundation (FSF) Turns 40 and Its Web Site is Still Slow Due to DDoS by LLM Slop Bots
For an advocacy group, uptime is important (for its message to remain accessible)
Slopwatch: Google News as a Firehose of LLM Slop About "Linux"
Google News is really bad
Datamation, Where I Used to Publish Articles, Appears to Have Been Sold to TechnologyAdvice Only to Become a Slopfarm
I'd prefer to not associate with that site anymore
Links 03/10/2025: "NPR’s Economics Lessons Come With Neoliberal Spin" and Canada Post at Risk
Links for the day
Gemini Links 03/10/2025: Panic Attacks and Food Adulteration
Links for the day
Links 03/10/2025: Lawyers Caught Using LLM Slop Explain Why They Did It, LibreSSL 4.1.1 and 4.0.1 Released
Links for the day
FSF Board Grew 50% Since Last Year, Has New President, Turns 40 in Two Days
It's a good move for the FSF and - by extension - for software freedom
Links 03/10/2025: Conflicts, Death of TypePad, and TikTok/CheeTok Gives a Boost to Far Right Groups in Europe
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, October 02, 2025
IRC logs for Thursday, October 02, 2025
Slopwatch: Linux Journal, Google News, and LinuxSecurity
They carry on polluting the Web with fake articles
Gemini Links 02/10/2025: Kubernetes With FreeBSD and robots.txt
Links for the day