Lamar Owen wrote: > On Tuesday, November 30, 2010 11:38:24 am m.roth at 5-cent.us wrote: >> Lamar Owen wrote: >> > 2.) Be able to tell my os 'PDF reader can only do X to these files, >> > and no others. Browser cannot read ~/Documents, and can only write in >> > ~/.mozilla. Flash plugin cannot write anywhere without specific user >> > permission and can only read those files it requires to work.' >> >> Gag! And suppose you d/l a pdf, or an html of a manual, or the company >> holiday party flyer, or the meeting annoucement - the way you describe >> it, above, I can't look at them. > > Valid point; I'd just want to tune my policy. The biggest lack I see > right now is a simple interface to the policy settings, but it is getting > better each iteration. Right - change *local* policy for every iteration. > >> Sorry, but I think selinux is a side pathway that leads to an >> unnavigable swamp. And training folks - you need a number of folks *all* of whom can >> deal with that swamp. > > You are certainly entitled to your opinion. > > Swamps are buildable with ACL's, SELinux contexts, user permissions, and > basically any other controls. Well-groomed gardens are also buildable > with these tools; at least the tools are available. One should not avoid > greenery entirely just because one has seen overgrown yards before. I'm talking about the real, outside world, *not* my own personal system. And for personal systems, even though it would protect a lot of folks, it would stop them from doing still more... and we're talking about folks who are *NOT* knowledgable. > >> Unless, of course, you want to be so irreplaceable that they don't want >> you to ever take a vacation, and are on call 24x7x365.25. > > For my own laptop? :-) And why would I want to be on call 365 weeks a > year? As I said, I work in the real world with all this, and you seem to be arguing, based on your own personal experience that those of us in the workplace should do thus-and-so, and we're telling you what it's like in the trenches, and why we don't like selinux. <snip> mark