Tim: >> One of the (almost) unsung benefits of it is to do with created >> software. >> >> If the programmers use a system with SELinux, they're forced into >> writing their software better. And we end up with software which Mike McCarty: > They are forced into writing it SELinux aware. That is not > part of my definition of "better". This is you trying to fit it into your blinkered view. You harp on about it being about mitigating already compromised machines, which is an over-simplification to the point of being stupidly and utterly wrong. Ignoring your ignorance, for the moment. If you read what I wrote, and snipped off. Writing to support working with SELinux means writing software in a better manner so that it doesn't expect to be able to do things that it shouldn't be allowed to (accessing files it has no business doing so, being executable in places that it shouldn't, and so on). It's *that* sort of thing that makes for better programming. If you can't grasp that, you're not up to the task of programming in a safe manner. > Note that SELinux does not attempt to make a machine more > secure, except in a very general sense. It attempts to mitigate > damage on a machine WHICH IS ALREADY COMPROMISED. Bollocks! > It does little AFAICT to prevent compromise. Oh do some research! -- [tim@bigblack ~]$ uname -ipr 2.6.22.5-76.fc7 i686 i386 Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7. Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.