> that the disadvantages far outweigh the advantages. There are > exactly three users which can actually log on to my machine: You hope... > It appears to me that RH is courting large corporate or government > users where political considerations and the ability to dodge > responsibility are important, rather than stand-alone small desktop > systems with single or just a very few actual users. SELinux is useful in both cases. Large corporations may well use custom rules to protect critical data or enforce policies (eg 'no you can't run anything you download'). In the general case its there to protect all systems and users by doing its best to divide up the different aspects of a machine and make it very hard to use one part of the system to break another and build a chain of steps ending in compromise. The number of official users of a box is really irrelevant, and to a large extent so is the data on it. A compromised box gets used for spamming, attacking other hosts and more. Insecure systems are antisocial regardless of whether their owner is inconvenienced. I don't doubt plenty of people on this who don't run SELinux do run a tight ship, do check for compromises and don't run leave compromised machines on the net. There are however plenty of people who are sloppy, or simply don't have the skill needed to run the box properly - and thats one good reason for defaulting firewalls and selinux on - to ship a default level of security appropriate to external risk. Allowing users to turn off security is generally better than assuming they will read the manual and turn it on. > I think it would be better if they had the option simply not > to install. Its a bit like asking for a car to come with automatic or manual transmission. It isn't a last minute extra you fit like a headrest its intrinsic to the very build of the system. There are sound engineering reasons why "rpm -e selinux" isn't doable (or believe me we'd have done it that way!) Alan