It seem that the biggest problem with SELinux is that it has been designed from the most complex conceptual model, as required to represent most classical security models, rather than just starting with the simplest model required to add basic MAC. And this complexity makes every other aspect of it a nightmare to work with. I'm guessing that most people and policies don't make use of the user, role, sensitivity, or categorisation. Having all those aspects hidden and disabled when not used to allow SIMPLE policies that rely on just type/domain and transition rules would help understanding immensely.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds