Re: SELinux is not the answer.
I used to have to deal with SELinux a lot, in QA and package maintenance. It's been a long time, but IIRC the thing I disliked most about it was the fact that it was so obscenely complicated to administer, mainly because it required learning a whole new "language" (obscure "contexts"), and the resultant policies actually needed to be "compiled" into very inaccessible binary blobs, that even developers had a hard time understanding it, so your typical end user wouldn't have a hope of configuring it properly if at all.
Indeed the only actual "configuration" we saw from pretty much all the users was to disable SELinux to save having to deal with it, and the number one complaint, other than persistent breakage from buggy or incomplete policies, was the fact that no one felt comfortable blindly accepting security policies that needed to be created by complete strangers, because they were the only ones who understood SELinux well enough to write those policies (broken though they often were).
Any security mechanism so complicated that nobody understands it is patently not really secure, no matter how good it might be in theory.
Biting the hand that feeds IT
