Why do I need SELinux?

[Rahul Sundaram]

Hi

> The reasons I see for not using SELinux are as follows:
> 
> One, this is still in-front-of-leading-edge technology. For all that the
> nsa is a major contributor, it needs a lot of debugging.

Fedora core 3 and RHEL 4 comes with targetted policy enabled by
default. Sure, it can improve over time but I wouldnt classify those
as "debugging".


> 
> Two, I know that mis-configuration can result in reduced security, and I
> haven't had time to learn the configuration yet. I paticularly worry
> about getting the system-level policy right for the kinds of things I do.
> 

ok. a much better idea is to try it out.  SELinux works on top of
normal DAC based security. any misconfiguration would probably prevent
some stuff from working properly but it wouldnt result in any less
security.


> Three, I'm not confident that ACLs are as effective as they are said to
> be, and I know how to set up the equivalent of ACLs using standard unix
> permissions, and that does cover most of my needs.
> 
> (I know some common implementations of ACLs are a couple of dollars
> short. When I can get the time to study the current implementation in
> SELinux, I may change my mind about this point.)

SELinux is not just ACL's. I am not even sure if you are implying that
but if you think so then please read the relevant documents




-- 
Regards,
Rahul Sundaram