[cyberax]

The thing is, it works better. A simple API like pledge/unveil allows apps to significantly improve the security level without much of time investment.

Meanwhile, complex external systems like SELinux end up being unused because they are complex and external (and thus can just be ignored).

[charcircuit]

>it works better

It doesn't. You can download malware and the app can cryptolock your entire system. Sure, if the malware called pledge to block opening files but what malware is going to do that?

[lagosfractal42]

> Meanwhile, complex external systems like SELinux end up being unused because they are complex and external (and thus can just be ignored).

Wdym? It's very notably used in Android

[cyberax]

Yeah, because they have a team of engineers working on it. They can afford that.

I have never seen SELinux used on a regular server. Heck, Amazon Linux AMIs on AWS even disable it by default.

Yeah, yeah, personal experience and all that.

[cyphar]

This has changed a lot in the past decade -- any modern Fedora box has SELinux enabled by default now and so I would wager the majority of Fedora/CentOS/AlmaLinux/RHEL boxes have SELinux enabled and in enforcing mode. openSUSE/SLES is also switching to SELinux in 16.0.

Disclaimer: I work for SUSE.