Posted Sep 23, 2004 2:56 UTC (Thu) by walters
In reply to: Complexity
Parent article: An introduction to SELinux
As for complexity, Stephen Smalley explains it elegantly.
The reason SELinux permissions aren't based on file paths has also been explained many times. Put most simply, there are *many* possible ways to reference a file (inode) in Linux. You can have hard links, bind mounts, symlinks, etc. Having the kernel try to control access via file paths is inherently fragile. You don't want to restrict file paths, you want to restrict access to the actual object.
to post comments)