Dne 09. 04. 21 v 23:48 Michael Ströder napsal(a):
And an insane CPU and I/O load when updating the SELinux profiles... At least that's my experience with CentOS.
Pain is brief even though intense, true. However, how often do you upgrade the profiles?
But sorry, I don't buy this broad statement regarding better security.
I had couple of presentations on the theme, unfortunately most of them in Czech. There are some examples (named, httpd), where the advantages are completely obvious and tested in the real life.
At the moment I feel more a push-back when adding e.g. systemd sand-boxing than anything else. Just changing a technology is not a solution for anything.
Nothing again sand-boxing, it might useful for some applications, but it is much more crude and much less useful, IMHO.
Matěj https://matej.ceplovi.cz/blog/, Jabber: firstname.lastname@example.org GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8
You either die a hero or you live long enough to see yourself become the villain. -- Harvey Dent in The Dark Knight