Lamar Owen wrote:
With SELinux I can set files and whole hierachies to not allow Acrobat Reader access of various types, while still alllowing access to those areas it needs. Voila! Acrobat Reader vulnerabilities and the PDF's that exploit them no longer have any power to exploit my system. Same with Flash, Java, and Firefox itself. If firefox has no need to write into my Documents directory, then I can lock out my Documents directory to firefox (even when it's running with the right uid:gid that would defeat old-school uid:gid based perms) and not worry about a malicious website exploiting a firefox zero-day modifying any of my files in Documents.
Your enthusiasm for SELinux seems tied conceptually to a workstation running the set of applications that come with the distribution. Nothing wrong with that.