On 03/20/2018 01:42 PM, Peter Kjellström wrote: > On Tue, 20 Mar 2018 13:07:12 +0100 > hw <hw at gc-24.de> wrote: > > ... >> So what do you really gain from selinux, and is that worthwhile all >> the trouble and the hours spent to fix the problems it creates? What >> about the impact on performance? > > The main feature is that lots of software is indeed confined (even > though your normal login or desktop remains unconfined). > > This is exactly what happens to exim in your case. It is exim_t not > unconfined_t which means when/if it goes crazy (or is exploited) the > damage can be limited. which is what access rights are for > For some people it's also useful that it provides the ability to define > user types (see "semanage user --list"). How is this useful? It makes things much more complicated and more unmanageable. It still doesn´t allow me as a user to make it so that a program I´m running can only access the files I want it to access. Why isn´t that a common thing for users to do? Gimp doesn´t need to have access to my emails and fvwm doesn´t need to access anything but it´s configuration, etc.. Since those are common things, why doesn´t selinux do it --- and in such a way that it is easy to manage?