story
SELINUX=disabledThinking about it (maybe because I am watching a update go as I type), what the heck does this say about how we program? I guess in some ways its why I like the idea of pledge. It makes me think better of the programmer because they have put some thought into their program. I'm not sure what I should think when I see SELINUX=disabled as a possible solution.
SELinux is not complex because we program in complex ways, but because we don't know the target program.
For example, (again, nothing against Apache but...) if I want to secure Apache, there's no way for me (as a sysadmin) to tell exactly which files, exactly which syscalls, and exactly which libs does it need to function, and there's no way for me to stay on top of it.
And the same applies to any other complicated software. How to I lock down X? Firefox?
Really, the beauty of a "pledge" like system is that the programmer/PM of the code (which he should understand) should know how to lock it down
Quicker, but not cheaper