On Sunday 28 November 2010 22:40:41 brett mm wrote: > > This is where, as a sysadmin, you need to invest just a little time and > > effort learning the system. Honestly, the vast majority of issues are > > trivial to solve if you just spend a few hours reading the docs/guides, > > and even if you really can't be bothered there are kind folks on this > > list (and others) that will likely solve your issues for you. How is > > that not worth the extra security SELinux affords? > > In reality, I am not at all sure that a quantum leap in complexity > adds to security at all. Any proper use of old-school group > permissions can give as finely-grained a security policy as you would > like. No, you're wrong --- SELinux exists precisely because the old-school permissions system is *not* fine-grained enough. That's why SELinux was actually invented, to introduce a more fine-grained control over access. I am lazy to search now, but I remember seeing a couple of typical counter- examples, where usual permissions system is completely incapable of implementing the level of access control that SELinux gives you. If you do a clever google search I am sure you can find some examples of this. HTH, :-) Marko