Tim via users writes:
On Thu, 2025-11-13 at 08:12 -0500, Sam Varshavchik wrote: > Conceptually, a complicated technical ecosystem like SELinux can only > meaningfully scale if the barrier of entry is low enough for the upstream > sources to be able to easily supply the SELinux policy, as part of the > package. > > Originally, it was expected that SELinux will become very popular and take> over the Linux scene by storm. It was thought that there wasn't much need to> provide a rich set of resources for learning how to use SELinux. After all,> everyone will simply have to deal with it, if they wish to play with the big> boys.That a scheme dreamt up by some American three-letter-organisation with a bad reputation wouldn't be popular, or user-friendly... Who woulda thunk?!
I completely forgot about that juicy nugget.
Does SELinux actually do anything beneficial for the average (*) person with a PC that cannot be remotely contacted? Potentially it could, but does it "actually"? And could other, simpler, schemes do the job just as well? * The average person has no publicly responding servers. Is at home, not on public WiFi. And since the end of dial-up, is behind a router which doesn't forward unexpected connections though it to your PC.
Well, the argument for that is that SELinux helps to mitigate and contain the damage. Even if a given application falls to an exploit, the resulting fallout gets limited by SELinux. That's something that a basic end-user can certainly benefit from. I'll buy that.
SELinux's main problem is its cost vs benefit ratio. The above benefit matters, but it only benefits a very, very small number of Linux distributions. And the cost is significant, insofar as required investment of time and effort. The cost/benefit ratio is lousy.
pgpBwOG3TtHuS.pgp
Description: PGP signature
-- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
