On Sunday 28 November 2010 22:40:41 brett mm wrote:
This is where, as a sysadmin, you need to invest just a little time and effort learning the system. Honestly, the vast majority of issues are trivial to solve if you just spend a few hours reading the docs/guides, and even if you really can't be bothered there are kind folks on this list (and others) that will likely solve your issues for you. How is that not worth the extra security SELinux affords?
In reality, I am not at all sure that a quantum leap in complexity adds to security at all. Any proper use of old-school group permissions can give as finely-grained a security policy as you would like.
No, you're wrong --- SELinux exists precisely because the old-school permissions system is *not* fine-grained enough. That's why SELinux was actually invented, to introduce a more fine-grained control over access.
I am lazy to search now, but I remember seeing a couple of typical counter- examples, where usual permissions system is completely incapable of implementing the level of access control that SELinux gives you. If you do a clever google search I am sure you can find some examples of this.
HTH, :-) Marko