Author is correct that SELinux is not trivial and takes work to figure out.
Author is full of it in that they're obviously not aware of the tooling and information available. Eg:
All of this is wrong:
> Fedora Linux. There’s nowhere on the system where you can view the policies and look up why something might or might not work.
You can install the policy's source and look at it all you want. There are also tools to examine the current policy.
> The SELinux denial audit log messages are too vague. You’re told that a label was denied reading from another label. Okay, what do those labels mean? Which programs? Which files, sockets, or whatever?
You get that in the logs. What you get is an inode number, which isn't very user friendly, but it's very much there. SELinux has tooling to turn the log messages into something nicer to work with.
> So, you run the audit2allow command as instructed, and end up with some policy blob files.
> God only knows what changes the blobs do; you can’t be expected to, nor are you given enough information to evaluate them.
This is also wrong, along with the blob you get a text file.
TL;DR: The author has a minimal point, but clearly hasn't read the docs. Help and tooling is available and not that obscure.
Author is full of it in that they're obviously not aware of the tooling and information available. Eg:
All of this is wrong:
> Fedora Linux. There’s nowhere on the system where you can view the policies and look up why something might or might not work.
You can install the policy's source and look at it all you want. There are also tools to examine the current policy.
> The SELinux denial audit log messages are too vague. You’re told that a label was denied reading from another label. Okay, what do those labels mean? Which programs? Which files, sockets, or whatever?
You get that in the logs. What you get is an inode number, which isn't very user friendly, but it's very much there. SELinux has tooling to turn the log messages into something nicer to work with.
> So, you run the audit2allow command as instructed, and end up with some policy blob files.
> God only knows what changes the blobs do; you can’t be expected to, nor are you given enough information to evaluate them.
This is also wrong, along with the blob you get a text file.
TL;DR: The author has a minimal point, but clearly hasn't read the docs. Help and tooling is available and not that obscure.