With all respect to the SELinux developers, SELinux is by no means the only MAC framework for Linux. I'm surprised to find no mention of it in this discussion.
I really don't know SELinux at all. However, I'm very familiar with LIDS, and I can substantiate that in the LIDS framework, highly restricted systems can be configured with a relatively small number of ACLs, which are strictly rule-basd. ACLs are applied to fs/inode tuples, not "paths," and no "policy compiler" or similar complexity is introduced. (LIDS does have a "learning mode" facility for automatically generating ACLs based on [ideally normal] activity patterns on a host.)
Hence, just based on reports, it would seem possble that:
1. SELinux object and policy system may deliver (much?) finer-grained security policies than LIDS
2. LIDS rulesets for single-purpose hardened systems appear to be both simpler and _smaller_ than SELinux policies--making them potentially easier to contruct and to understand/audit
It seems like it would be well worth the effort to compare differerent approaches to this problem, before concluding that the MAC concept is unworkable or that it necessarily leads to unmanageable complexity. That has not been my experience with the LIDS system.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds