Hi > The reasons I see for not using SELinux are as follows: > > One, this is still in-front-of-leading-edge technology. For all that the > nsa is a major contributor, it needs a lot of debugging. Fedora core 3 and RHEL 4 comes with targetted policy enabled by default. Sure, it can improve over time but I wouldnt classify those as "debugging". > > Two, I know that mis-configuration can result in reduced security, and I > haven't had time to learn the configuration yet. I paticularly worry > about getting the system-level policy right for the kinds of things I do. > ok. a much better idea is to try it out. SELinux works on top of normal DAC based security. any misconfiguration would probably prevent some stuff from working properly but it wouldnt result in any less security. > Three, I'm not confident that ACLs are as effective as they are said to > be, and I know how to set up the equivalent of ACLs using standard unix > permissions, and that does cover most of my needs. > > (I know some common implementations of ACLs are a couple of dollars > short. When I can get the time to study the current implementation in > SELinux, I may change my mind about this point.) SELinux is not just ACL's. I am not even sure if you are implying that but if you think so then please read the relevant documents -- Regards, Rahul Sundaram
