Lamar Owen wrote: > With SELinux I can set files and whole hierachies to not allow Acrobat > Reader access of various types, while still alllowing access to those > areas it needs. Voila! Acrobat Reader vulnerabilities and the PDF's > that exploit them no longer have any power to exploit my system. Same > with Flash, Java, and Firefox itself. If firefox has no need to write > into my Documents directory, then I can lock out my Documents > directory to firefox (even when it's running with the right uid:gid > that would defeat old-school uid:gid based perms) and not worry about > a malicious website exploiting a firefox zero-day modifying any of my > files in Documents. Your enthusiasm for SELinux seems tied conceptually to a workstation running the set of applications that come with the distribution. Nothing wrong with that. -- Charles Polisher