Rahul Sundaram wrote:
I understand that point and it's valid however it is a important
differentiation. SELinux with the assorted set of security enhancements
have been very useful in mitigating security issues. Even end users who
tend to not like SELinux and turn it off have benefited it from it.
While SELinux policies a number of issues have been fixed with software
that was using more privileges than necessary or need to be redesigned
because there was fundamental flaws.
Can you give some real examples of something where correctly applied
standard unix/linux permissions and user/group ids would not work but
SELinux does? Or currently-likely bugs in programs that need suid root
permissions to open a low-numbered port but otherwise run as a uid with
limited permissions that SELinuc might catch. It might be easier to
tolerate the backwards-incompatibilities if we had some actual examples
of how it has helped anyone.
--
Les Mikesell
lesmikesell@xxxxxxxxx
