> Why do the supposed selinux functions, if 10,000% less important than a > firewall (my personal estimation anyway) seem to take 10,000 times more > maintenance than the far more important firewall? They solve a harder problem. And actually when we first turned on firewalling by default a similar thing occurred until howtos and the like to tweak it appeared Its solving a very different problem. Firewalls stop attacks against the host from outside inwards. Modern attacks are all based on things like web page flaws, and user stupidity because both of those bypass firewalls. Since the bad guys can't get in via services they wait for you to come to them and try and break through your web browser, or they mail you and try to break your mail client or have you do dumb things like save a PDF file then read it with acroread without forcing safe mode. SELinux helps contain these types of attack. Its one of about five differing things going on - all of which broke something on the way - NX broke miswritten apps, non-exec elsewhere broke stuff, and so on. Alan
