On Tue, 7 Dec 2010, m.roth at 5-cent.us wrote: >> I am not arguing that SELinux is easy, I am arguing that it is not >> rocket science. I have worked for a several years to try to make > > If rocket science means very difficult and obscure, yes, it is. I've got to cry "foul" here. "Difficult and obscure" can be applied to just about any *nix command-line utility (or Windows registry hack, or Mac OpenDirectory tweak, ...). I don't consider SELinux any more difficult to understand and manage than other Linux security-related controls like iptables or extended ACLs. That isn't to say that my mother-in-law would take to it, but I'd expect any sysadmin on my IT staff to be able to learn it. In that sense, it's certainly not rocket science. Daniel's other point concerns increased usability. I've been using SELinux for a while now -- not always successfully, and I certainly do NOT consider myself an expert -- and it's quite apparent to me that the folks at Red Hat have unquestionably made it easier to use over that time. It's apparently quite difficult to write policies for some applications (*cough* Nagios) that want to do a ton of things -- and third-party or in-house apps have a different set of challenges -- but I can't imagine anyone claiming that there hasn't been marked progress in SELinux usability over the CentOS 4 -> 5 life cycles. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/