Hi, is there any in depth discussion about compartments / mandatory access control out there that discusses risks and benefits? I am currently not running any outside services on my tiny personal LAN for two reasons: a) It makes me nervous. VERY nervous, indeed. b) I am too lazy / don't have the time to track all security issues that could affect the service I am running. That in turn causes a) to kick in :-> On the other hand, I would like to run a H.323 gatekeeper (e.g. the one at http://www.opengatekeeper.org/), at least temporarily, for personal use. I might also be interested in (at least temporarily) exposing Apache with some DSOs to the outside world. All this I will only consider, though, if the risk of doing it is *very* low. Is my understanding of compartments correct in that they will allow me to lock down a given "service" to a minimal set of user / group rights, thus reducing the effect of any (potential) security issues in the "service"? I am under the impression that I would have to use finer grained MAC (ACL patches / LIDS) to restrict the feature set a service may use? Assuming that my compartments and / or MACs are setup correctly that all external services run in a compartment / are under MAC, which kinds of risks would I still be exposed to, and to which extent?