Although it looks as if this thread has been beaten sufficiently to death, I thought I'd air some of my ignorance on the subject: The reasons I see for not using SELinux are as follows: One, this is still in-front-of-leading-edge technology. For all that the nsa is a major contributor, it needs a lot of debugging. Two, I know that mis-configuration can result in reduced security, and I haven't had time to learn the configuration yet. I paticularly worry about getting the system-level policy right for the kinds of things I do. Three, I'm not confident that ACLs are as effective as they are said to be, and I know how to set up the equivalent of ACLs using standard unix permissions, and that does cover most of my needs. (I know some common implementations of ACLs are a couple of dollars short. When I can get the time to study the current implementation in SELinux, I may change my mind about this point.) The reasons I see for "normal home users" using SELinux are as follows: One, IP spoofing. Even assuming your firewall is correctly set to block packets coming from outside with local range IP source addresses, if you lose one box inside, filtering ssh access based on IP address is going to fail. (And I really _do_ want to ssh in from outside, anyway.) Two, you're bound to want to run something that you don't really want to trust the whole system to, which at some point will want access to something that gives it more potential access than you want it to have, say something in /etc , and ACLs and policies should give you the opportunity to at least try to limit the evil that could be done. Three, geeks are human. Four, if Linux users don't debug SELinux, who will? And it's number four that would win in my case, if I had the extra hardware. The home systems of members of this mail list are probably as good a debug environment as could be hoped for, in terms of making this kind of technology available to _real_ normal users. -- Joel Rees <rees@xxxxxxxxxxx> digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** <http://www.ddcom.co.jp> **