Travis H. wrote:

> Actually now that I think about it, SELinux attributes are even more
> data stored on the filesystem, but it is generated from an SELinux
> policy file.  It's not done in realtime; as a matter of fact, it's
> very time-consuming to relabel the filesystem.  One neat thing is that
> you can set up a cron job that reports any differences,
> and it can heal itself, a lot like mtree.
> 
> I think what it boils down to is that the granularity of SELinux
> permissions is much smaller than that of traditional Unix, so you can
> give permission to talk on the network, or append to a file, or
> perform an ioctl, and so on.  I'm a control freak, so it appeals to
> me.

None of the above requires a SELinux-like environment.

> I wouldn't want to have to come up with a policy to cover a huge
> network abomination like sendmail, maybe not bind either, but programs
> that follow the "do one small thing and do it well" policy are fairly
> easy to write policies for. 

But programs like sendmail and bind are the ones that get your computer
compromised. :)

-e.

-- 
Elad Efrat