On 3/27/06, Michael Halcrow <[EMAIL PROTECTED]> wrote: > Personally, I would prefer the power, flexibility, and (yes) > complexity of SE Linux over many other MAC solutions out > there. AppArmor may be a good solution for many cases, but just > because it is simpler does not mean that it can do a better job of > securing a system than SE Linux can do.
Complexity is what makes a system insecure. The tradeoff need not be between security and usability but between simplicity and flexibility. I'm not saying, of course, that SELinux is inherantly insecure. I don't believe that. What I do believe is that the complexity means that it's difficult to learn and to use correctly (securely) and the majority of admin's will never learn it. Now, some (one?) distros provide SELinux profiles for all of their applications, but these systems tend to be fragile. The minute you have to compile something yourself to add some functionality the distro didn't provide, you have to learn SELinux or it will probably break in some way. Many admins simply turn SELinux off because they can't spend the time to learn how to make it work for them. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
