SELinux - a call for end-of-life.
Marko Vojinovic
vvmarko at gmail.com
Wed Sep 1 14:48:37 UTC 2010
On Wednesday, September 01, 2010 14:31:55 Bruno Wolff III wrote:
> On Wed, Sep 01, 2010 at 12:35:14 +0000,
> JB <jb.1234abcd at gmail.com> wrote:
> > - it has to be simple to be acceptable and understandable by all sys
> > admins and
>
> Selinux is fundamentally simple. When a process acts on an object, the
> label of the process, the label of the object and the action are checked
> in a table and either allowed or denied (with optional logging).
+1.
I could even go as far as to say that SELinux is simpler than iptables, both
from fundamental and practical point of view. And they basically serve the
similar purpose, one filters file access, the other filters network access.
It's just that some people are too lazy to read and understand two or three
man pages.
Best, :-)
Marko
More information about the users
mailing list