So... let me get this straight. To you this entire argument isn't about
whether SELinux is an effective sandbox (it is, modulo kernel bugs, and
local attackers might be impeded somewhat by having to do all their work
through a pipe that getting local access might be harder than before: your
requirement for total kernel security is ridiculous on its face and
counter to the security philosophy that you espouse elsewhere in the *same
message*, of strength in depth). It isn't about how much ease of use it
brings over plain unadorned SELinux, if any (which is what the article was
It's about the *phrasing of the release announcement*?! Do you seriously
think that so many people are going to read it and use the sandbox code
(as opposed to, say, picking up F11 and getting it by default without
reading that announcement at all) that what they think after reading the
announcement will make *any* difference to security?
Do you seriously think, after twenty-plus years of viruses, that *anyone*
believes *any* vendor's claim that *anything* is totally secure? (In any
case, that assertion was not made in this case: 'more secure' than an
SELinux that guards only system daemons it surely is). The public are not
idiots and aren't going to be reading this release note in enough numbers
to affect security in any case.
You have a nerve talking about straw men when your entire argument is
based on a misreading and you contradict yourself in a single post.