[cyphar]

> selinux or any of the other security mechanisms are completely ineffective if users or developers are largely ignoring them

SELinux works by default on Fedora, and even has a nice GUI popup that explains to you what happened when an SELinux policy blocked an action (so that you can reconfigure it). It's pretty neat, and is massive improvement to SELinux of old -- I would recommend trying it if you haven't recently.

[bubblethink]

Yes, I think my point still stands that a large number of desktop apps either have lax policies or run unconfined. I don't know if things have changed that much recently. Confinement is opposite of ease of use. So Fedora/RHEL have selinux in enforcing mode, but the policies are still more effective for servers. I don't know how far they go with the policies for desktop.

[Conan_Kudo]

It'd be nice to see this stuff in (open)SUSE too. wink wink