• 1

Re: To the contrary

SELinux has been available to the open source community for many years, and is now a standard part of RH's install. Yet the vast majority of people who look at it reject it and choose nudity instead :) In the usual open source world, that rate of rejection usually says "nice try, how about something else?"

Have you considered the possibility that these users have no need for either SELinux or AppArmor? I'm one of the people who turns SELinux off. It's not because it's flawed. It's because I got an EACCES one day, did not understand why from "ls" output, and then much later saw in /var/log/secure something about SELinux denying the call. It was easier to turn it off than to understand an entire layer of security that I didn't need on a minimum-security installation. The standard Unix model was sufficient for what I was doing, and I already understood it. AppArmor would have suffered the same fate.

This is probably the common case. These people are not saying "I extensively evaluated SELinux, was dissatisfied, and thus wanted to turn it off". They're saying "I want to use the simple system I already understand". If people don't have complex needs, you won't get them to use a complex security system. That doesn't mean the complex system is wrong. There may be a subset of people who need it to be just how it is, and they'll be pissed if you try to get them to use anything else.

  • 1

Log in