On Fri, 2004-04-30 at 05:40, Pete Chown wrote: > I think this is especially true for a new security technology. Most > people's view of security is quite simplistic: they want the bad guys > kept out, without their work being interfered with. If SELinux > interferes with their work, they will turn it off, reasoning that normal > Unix security has kept the bad guys out so far. They are then unlikely > to try it again later however much people tell them that the policy has > been improved. So how would people feel about a separate relaxed policy that allows everything in the system to run completely unconfined except for a small set of specific services, e.g. apache, bind, postfix, ... That would ensure that SELinux wouldn't get in the way of users, while providing some protection benefit for network-facing services. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
