[marcosdumay]

> A case has been made here that Debian is less secure for containers and server usage.

For shared server usage. Most servers are single-use, what makes SELinux mostly useless again.

And on those shared servers, you have to define your actual policies for it to be useful... What a total of 0 people do.

It's hard to completely dismiss the idea that SELinux was a NSA plot to keep userspace capabilities out of reach on consumer OSes.

[ruthmarx]

> It's hard to completely dismiss the idea that SELinux was a NSA plot to keep userspace capabilities out of reach on consumer OSes.

It should be trivial to dismiss given the widespread usage and real world advantages it provides.

And no, a single use server doesn't make SELinux useless. It still means SELinux can lock down whatever services are offered on that box better than pretty much anything else can.

[JackSlateur]

Ha ! Thank you !

Indeed, since the dawn of virtualization and automated deployment, shared servers are a legacy behavior. Well, on Debian's world, at least : for RHEL, you may pay per instance, so there is a financial incentive to share said instances.

Ergo, RHEL and friends are inherently less secure than Debian.

[SubjectToChange]

SELinux still offers a lot of additional protection in the case of RCE. There are literal examples of it working in the wild, e.g.

For several versions of the OS, this worked quite well, but once dual-sim devices2 started coming out, this became more problematic. Furthermore, when SELinux3 became common on Android, this became more problematic since the radio SELinux context that rild started with was too restrictive for the implant to function. - RoidRage Bootstrap Methods (https://wikileaks.org/ciav7p1/cms/page_28049453.html)