Bonum Certa Men Certa

SELinux is Security-Vulnerability-Enhanced Linux, Developed by NSA (Now With All References to the NSA Removed by IBM/Red Hat)

posted by Roy Schestowitz on Jan 18, 2024

Vintage soldier with coffee

Reprinted with permission from Ryan Farmer.

Latest Round of Xorg Vulnerabilities Added Recently and Some Don’t Work Without SELinux Turned On.

The latest round of Xorg (X11) vulnerabilities to be patched were added within the last several years.

Out of half a dozen, the oldest ones were added in 2006, but many in 2011, 2012, or 2014.

Many of the defects might have been added by Red Hat employees.

They don’t specify which revision added them, only the release, however, Red Hat likes to complain that they’ve had most of the maintenance burden of Xorg “for years now” whenever the topic of Wayland, which doesn’t really work productively, comes up and they have to read the “Xorg is a mess and we have to do something and this is something” spiel.

This is the company that tells us we need to use Wayland, and which is mainly responsible for Wayland, which breaks everything and makes my computer impossible to use productively until I run the X11 session.

Honestly, Wayland is so f***ed that it causes more graphical glitching, session crashes, and power management issues and other annoyances than X11, which were supposedly the list of reasons X11 had to go, plus it also has no concept of screen savers, so I can’t use XScreenSaver with it. I’ve written a lot about why Wayland is in no sense of the word ready.

Jamie Zawinski said he no longer maintains XScreenSaver for the practical reasons we used to use screen savers for (to prevent burn in, although LCD/LED panels can still burn in).

For years now, the “Environmental Protection Agency” (Employment Prevention Agency) has been a party-pooper requiring the screen to turn off regardless of what the user wanted, because we need MOAR POWER to charge Teslas which won’t charge when it’s cold outside, or something. Or to “SAVE THE PLANET!” because of the sheer arrogance that the people responsible for overpopulation and environmental destruction are going to save it if the computer uses three watts less.

I think the real policy issue with IBM/RH’s war on screen savers is that a world dominated by mega-corporations has no use for art, or a well-educated public, or people who can think for themselves to any meaningful degree.

I don’t even have bizarre hardware, and Wayland is a big shitpile. Intel was promoting Wayland heavily and it doesn’t even work quite right on Intel’s graphics chipsets.

The only thing Wayland accomplished (Mission Accomplished) was stop and make everyone reinvent the wheel to the point of not getting much else done, just so that their software would do what it already did, with implementation gaps that are “not in scope” and reimplementing the same feature in different code (with different quirks) depending on which compositing manager your desktop environment runs in.

Two of the security vulnerabilities (CVE-2024-0409: SELinux context corruption and CVE-2024-0408: SELinux unlabeled GLX PBuffer) don’t work at all unless the user is running with SELinux turned on, which Fedora and Red Hat Enterprise Linux do.

SELinux is such an ungainly mess that it’s hardly possible to understand, and Fedora bumps the selinux-policy all the time because it’s still managing to cause a lot of trouble even more than two decades in.

Now it is actually adding security problems through the “security” policy for the X Server.

A while back, SELinux was patched to remove references to the United States National Security Agency, which originally wrote it. The Agency likes to spy on the entire world and “accidentally” bulk-collect data about Americans, or “incidentally” collect it, and then look at the data, with only a secret court that basically only ever says yes to them supervising it.

Stephen Smalley updated his email address and "debranded" SELinux from "NSA SELinux" to simply "SELinux".  We've come a long way from the original NSA submission and I would consider SELinux a true community project at this point so removing the NSA branding just makes sense.
-Linux Kernel Mailing List

Ah yes, which community would that be? The Intelligence Community? IBM/Red Hat? Those are really the only people who have a lot of interest in SELinux. Most non-RH distributions don’t even have it or don’t even have any sort of “security modules” loaded by default, or use AppArmor.

I haven’t seen any evidence that there are major security problems that SELinux is saving real people from. It ticks a box, and in this case, it managed to make Xorg even worse just by being turned on. If IBM/RH cared about security, they wouldn’t be telling people to use RH in Microsoft Azure and AWS where the data breaches keep happening.

I’m just not sure this monthly panic about Xorg bugs is “organic”. Actually, it’s getting pretty Groundhog Day-ish.

I mean, the issues are being fixed. Lots of software has an old and complicated codebase that is difficult to understand and the source of constant bugs.

Also, some of the prior hysteria pointed out that some dated back into the 1980s and 1990s. (Windows routinely has security vulnerabilities this old and no big deal is usually made about them.)

By this example, we should delete Mozilla Firefox and even Linux itself because they too tick all those requirements for not being “secure”, or “modern” or something.

“Secure” and “Modern” are increasingly marketing buzz words, which translate to “Heinously bloated” and “under the control of someone else”, counter-respectively.

Typically, when someone starts throwing those words around to the point of abuse, I just start tuning out.

As always, patch your software. Nothing to see here.

Other Recent Techrights' Posts

We Covered UEFI 'Secure Boot' Scandals. The World Listened.
To hell with UEFI 'secure boot'
Fake News With Fake Numbers About Microsoft
"This is what happens when the world's economy is governed by sick old men"
Slopwatch: "Google News" is Fast Becoming a Mashup of Slopfarms, Linux Journal ("LJ") is a Dump of LLM Slop
Well done, Google News. Google itself can flourish as a slopfarm mashup.
Torturing Users Who Just Want to Run GNU/Linux on Their Own PC
"Linux does not want to install"
European Authorities, Already Bribed and Infiltrated by Microsoft, Won't Help You Find BigBlueButton, Jami, Ring, and Jitsi
Because they're paid by Microsoft and are Microsoft 'addicts' themselves
Moving From Content Management Systems (CMSs) to Static Site Generators (SSGs) Saves You Time, Makes You a Lot More Productive
try to reduce the cost (financial and computational) of running your site
Leak: European Patent Office (EPO) is Now Attacking Amicale Clubs
corruption has become the norm and scientists are robbed of any dignity
Oracle Fraud (or Defrauding Shareholders)
"the obvious [lie] is that watts are (wasted) electricity [and] and FLOPS are computing capacity"
Explaining (in Length and Depth) the Damage Matthew Garrett Did to Linux and to GNU/Linux Users
no matter how many threats we receive
 
Microsoft is Rapidly Dropped From Web Servers, Shows Survey
Microsoft lost about 8% "market share" in just 3 months
Many GNU/Linux Users Report MOK (Machine Owner Key) Issues in Recent Days
many people don't report this online and never post in Reddit
Links 13/09/2025: Escalations in East Europe and POTUS’ Health Cover-Up
Links for the day
Gemini Links 13/09/2025: Lagrange Turns 5 and Lagrange 1.19.2 Released
Links for the day
Microsoft Inside Your Linux: "Security vulnerability that allowed an attacker to bypass UEFI Secure Boot."
2 hours ago
A New Low for "Linux Journal": Promoting MICROSOFT WINDOWS Using LLM Slop
They've just jumped the shark entirely
The Register MS Still Takes Money to Hype Up "AI" in Articles by Microsoft Resellers With the Term "AI" 30+ Times in Them
Notice how many times they mention "AI"
The Apache Logo News is VERY Old, Racists and 'Anti-Woke' Bigots Look for Something to Incite Other Bigots With
Nothing to see here, move along
Linux Mint 9/11: "4th One Today..." (in Reddit)
Remember that not everyone having an issue reports it to social control media like Reddit
Nepal Will Fall Without a Single Shot Fired, Thanks to Social Control Media
Or very few shots (by the authorities)
European Corruption in the European Patent Office (EPO) Targets Culture
"In reality, the project includes a new “legal instrument” shifting administrative burden and liability on EPO staff while creating new uncertainty and externalising Amicale activities."
UEFI Secure Boot Failing, as Expected for Nearly 15 Years Already (Techrights Said This Since 2012)
in the media
Debian 9/11
people report this issue
Gemini and Web Links 13/09/2025: MElon's Slop Grift and "Autonomous Trains"
Links for the day
Pursuing Peace Through Violence
You cannot "see" a person's mind, until the mouth opens
Can We Please Stop Celebrating Shooters?
"An important point to hammer on is that CoCs were never intended for uniform or symmetric application"
Geminispace is Growing Faster in 2025 Than It Did in 2024
What matters is that corporations haven't ruined it and LLM slop is extremely rare
Links 13/09/2025: China Punishes for 'Negative' Posts, US Police Unable to Find Shooter
Links for the day
Who's the Mystery Financier of SLAPP Against Techrights and Is That a Millionaire/Billionaire?
Whose idea was it to fund meritless lawsuits against my wife and I?
Slopwatch: Slow Slop Day
This distracts from or may take traffic away from the original articles, actually written by actual people
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, September 12, 2025
IRC logs for Friday, September 12, 2025
CoC Gone Wrong: Celebrating Murder OK, Complaining About the Celebration Gets You Banned
Hopefully the NixOS Foundation will have a word with (maybe replace) the moderator/s
Gemini Links 12/09/2025: Familiarity and Secondary Dominants
Links for the day
Links 12/09/2025: "Bad Reviews" as Extortion Weapon, "Free Speech At Risk in America’s Schools" According to ACLU
Links for the day
Only One Speaker Does Not Do Sharecropping for MElon (in X.com)
The man who puts principles before PR/optics
The Mind of the 'Hulk Hogan of UEFI'
in a nutshell
A Day After "UEFI 9/11": UEFI Secure Boot Bypass
In the news today (right now), as published in the past few hours
Links 12/09/2025: Slop Code as Liability, Microsoft Outlook Down for Many
Links for the day
It's Still Not to Late to Turn Off "Secure Boot"
If people reboot their PC or server today, and it relies on "Secure Boot" on Sept. 12 or later, then depending on the firmware there may be trouble ahead
Links 12/09/2025: Shira Perlmutter is Back, “Software Per Se” Patent Rejections in In re McFadden
Links for the day
Slopwatch: Linux Plagiarism, Slopfarms Still Infesting Google News, Many Images Are Fake
Google is promoting plagiarism
"This Morning Might Turn Out to be an Interesting One for System Admins Who Haven't Updated Their Devices' Secure Boot Certificate" (If They Reboot)
Who asked for this anyway?
Gemini Links 12/09/2025: Metric System, Dumping Windows, and Software Architecture is Dead
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, September 11, 2025
IRC logs for Thursday, September 11, 2025
Microsoft Admits the Workers Have Lost Trust (Endless Layoffs, 12-13 Rounds of Layoffs This Year), So Now It's Trotting out Its Peter Bright-Like Media Prop Jordan Novet
What they don't want people to pay attention to right now
Links 11/09/2025: Windows TCO and Russian Drones Invading Poland (EU/NATO)
Links for the day
Gemini Links 11/09/2025: xkcd, misfin, and Alhena 5.3.2
Links for the day
Repetition of Last Summer (Microsoft Breaking Dual-Boot Systems)
UEFI 9/11 is about to kick in
UEFI 'Secure Boot' Boiling Frogs (Cannot Turn Off 'Secure Boot')
"MSI laptop is locked on Secure Boot and doesn't allow me to turn it off"
UEFI 9/11 Aftermath - Part IV: The 'Hulk Hogan of UEFI' and His 'Hideout' Holiday (Retreat From Reality)
Let's keep an eye on what matters
UEFI 9/11 Aftermath - Part III: Mr. 'Secure Boot' (Shim) and His Fake 'Holiday' (Sending My Wife and I Threatening E-mails on 9/11)
despite being on holiday, according to him, he finds time to instruct lawyers to contact my wife
UEFI 9/11 Aftermath - Part II: "The SecureBoot Thing Got Out of Hand."
The next few weeks might be... interesting
UEFI 9/11 Aftermath - Part I: "I Believe This Affects Thousands of Devices... Because Multiple Devices I Checked, Whether Client or Server [...] Affected."
Most people aren't even aware that this is happening or about to happen
The UEFI 9/11 - Part X - An Outline of the Series About Microsoft Sabotaging GNU/Linux (With Ramifications to Unfold Online in Coming Weeks as People Reboot)
Today is UEFI 9/11 (9/11/2025)
Ron Wyden: Microsoft Should be Held Accountable for Security Breaches (He Has Said This for Years Already, It Never Happens)
Negative media coverage isn't a fine and it does nothing to compensate Microsoft's billions of victims
Culture of silence: Ubisoft harassment convictions, Mozilla, Sylvestre Ledru & Debian make no comment
Reprinted with permission from Daniel Pocock
Disable 'Secure Boot' (If It Lets You)
it doesn't put you in control
Links 11/09/2025: "Hey Hi" Ponzi Schemes at Oracle (Unpaid Contracts) and Cindy Cohn is Leaving the EFF
Links for the day
Longtime Red Hat Staff: Maybe Just Disable 'Secure Boot'
A refreshing take from Adam Williamson
Gemini Links 11/09/2025: Playdate Console, Dichotomy between the Real and the Digital
Links for the day
A Dozen Observations About "UEFI 9/11" Deflections
What we are expected to see, tentatively
The Microsoft AstroTurfing and Microsoft-Led Blame-Shifting Tactics Are Ahead of Us
Of course it has nothing to do with security, it's about control, i.e. them controlling everything
Celebrating Assassination is Bad Because It Legitimises Assassination of the People You Like, Too
Condoning or even celebrating political assassinations is bad optics (and taste)
The World's Richest Ponzi Scheme (Faking Value Using Net Waste)
The higher they go the harder they fall
We Could Dual-Boot Back in the 1990s, Why Has This Become So Difficult?
And prone to breakage
Being Conditioned to Accept Unreliable Computer Systems That Fail With Black Screen of Death (BSoD)
Welcome to 2025
Slopwatch: Google News is Still Promoting Many Fake Articles About "Linux", in Effect Rewarding Misinformation and Plagiarism
things continue to deteriorate
New Series: The Coup Against GNU/Linux Has Begun
today, this year in particular, we shall also focus on Secure Boot, which is sold based on a lie and tortures many computer user
New Paper on "BYOVD, but in firmware. Signed UEFI shells, vulnerable modules offer new paths for Secure Boot bypasses."
One might say digital "security theatre"
Links 11/09/2025: Oracle Layoffs, Drunk Pilots in Japan Airlines, US-Korea Tensions Grow
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 10, 2025
IRC logs for Wednesday, September 10, 2025