First SELinux impressions

First SELinux impressions

I'll grant that the "gaping holes" comment was a little over the top, but if you are trusting the system with data that needed that additional protection, and you think that you have hardened it, but have actually misconfigured it in some non-obvious fashion - then you are worse off than if you knew that it could not be trusted with the data.

I'm sure that SELinux will be a great benefit in some areas, but the complexity (necessary as it is) still concerns me. Both from a configuration standpoint (though again, good defaults could go a long way), and from a code-complexity standpoint (more complex code being prone to more bugs).