On Tue, 2007-01-16 at 01:10 -0500, Claude Jones wrote: > Maybe you guys are thinking about this all wrong. Suppose that Selinux > is really a diversion. By forcing the question of mandatory access > controls at the kernel level, there's a team of specialists being > trained who are mastering in great depth, the detailed minutiae of how > each daemon they program for, functions at the lowest levels. The goal > is to create the specialist team that knows every hook, every detail, > of low level operations of all major sofware running in the OS I was being more of a devil's advocate than anything else... But going along with what you mention, is more in keeping with what I had in mind. SELinux is about restricting access, not providing more of it. If you remove it, you're granting access to more of your system. The real question is whether SELinux has a loophole that grants access without you knowing about it (lunatic wild conspiracy theory). Unless SELinux provides yet another way into your system, removing it doesn't bring about any tangible security benefits. It goes back to one of the original discussions, what *EXACTLY* does it do (more than we know about?). If it *only* adds restrictions, there's nothing for anybody to worry about. Except, perhaps, for some program authors that think that they should be able to read any file on the system without restrictions (e.g. your /etc/passwd files, and so on, being served out through Apache). -- (Currently testing FC5, but still running FC4, if that's important.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.