Posted Jun 24, 2010 4:46 UTC (Thu) by raven667 (subscriber, #5198)
Parent article: LSM stacking (again)
I don't think stacking modules is actually a good idea. It way over complicates practical system security. I also think that the assertion that SELinux isn't used needs some clarification and may be false. As a user and administrator of Linux systems everything has come with selinux on and enforcing for many years now. I have not had a problem with this, the few times I needed to run chcon or change the policy I can count on one hand and have not required more than a few lines generated by audit2allow.
The take-up by individual developers to write policies for their code instead of the distributers and the understanding level of the full policy amongst anyone who isn't responsible for writing policies full time might be low but I don't think that selinux has failed at all in penetrating the marketplace and in being a useful tool that all take advantage of. I think that the set of people that aren't using selinux or another comprehensive LSM module are fairly low. The people who are disabling selinux are just very vocal and uninterested in actually solving their security policy problem, whatever it happens to be.