On Wed, Dec 8, 2010 at 11:10 AM, Les Mikesell <lesmikesell at gmail.com> wrote: > On 12/8/2010 4:04 AM, David Sommerseth wrote: >> iptables is a de-facto standard on all Linux distributions nowadays. It >> is not ratified by ISO, IETF or similar ... but how does that make the >> real life scenario any different? That's just a piece of paper. >> iptables works, and so does SELinux - when you learn how to use it. > > The real life situation is that iptables only works on linux and the way > it works is distribution-dependent. So what you learn may lock you into > a platform that may not always be your best choice. iptables rules are distribution-independent. Different distributions dump the iptables control and config files in different locations... >> SELinux came as a result that someone found weaknesses and wanted to try >> avoid security issues. Just like when firewalls began to become so >> popular 20-30 years ago or so. There was a need to improve something, >> and someone did the job. Nobody cared much about firewalls in the early >> 80's. Why? Maybe because nobody thought anyone would abuse or misuse >> the network infrastructure? > > Does that mean you would not be comfortable moving your applications to > SUSE, Solaris, OS X, Windows, etc.? I don't want that kind of lock-in. SUSE has apparmor (which it considers equivalent/superior) but you probably can install selinux on it (you can on Ubuntu and Debian). Solaris has Trusted Extensions for MAC and RBAC. OS X has a Macified version of TrustedBSD. Windows has UAC. (In the same way that the last three have their own firewall apps!)