On 22.09-16:21, Douglas A. Tutty wrote: [ ... ] > > exercise for the reader: find somebody using SELinux. ask them to > > describe their policy over the phone. then repeat it back to them. > > did you get it right? > > [ ... ] In other words, since debian packages, by policy, must > "just work" on install (come with a reasonable default setup), (except > for a few things like the Shorewall firewall builder that installs to a > disabled state that prints a warning), once Debian decides on a SELinux > policy, all the thousands of packages have to be set up to detect the > SELinux policy on the box at the time and integrate themselves into it.
i would be willing to bet this will never happen, particularly in a community like debian's. if, by some miracle, it does i'd make a further bet that they'll have to roll back the decision because their users will be crippled. basically, good programming practices get you a lot more for a lot less than wide ethos changes. having said that the extended feature set of selinux can solve issues that "unix" systems are not able to. in short, stick to openbsd. if you need selinux you'll know it ... then you'll go find another product that's not such a nightmare ... actually, nearly all of them are but that's another story.
