On Fri, 2005-11-18 at 08:53, Bryan J. Smith wrote: > Yet according to him, people like you and I who are implementing SELinux > in the same environments, we're doing it all-for-not! That's simply not > true! And I agree, remote systems are _ideal_ for RBAC/MAC. Well, it may or may not be true. It is certainly well-intentioned, but we are talking about bugs and unexpected behavior here which by definition aren't predictable. You may, by adding extra layers of security, protect against some flaw that will turn up even in the simple, well understood existing programming. Or, you may, by adding extra layers of complexity and less-tested code, introduce new vulnerabilities that no one understands yet. And even more likely, by making normal operations more difficult, you set up the authorized users to need more outside help and more chances for social engineering efforts to steal their credentials. -- Les Mikesell lesmikesell at gmail.com