SELinux in the Real World

SELinux does a good job at exposing the sheer complexity of an entire Linux system. Modern Fedora and RHEL systems get a lot of [SELinux] attention and for the most part you won't know SELinux is "running" (It is not a deamon it is mostly hooks in the kernel coupled with a security policy for decision making).

An interesting (sometimes frustrating) aspect of security is the question "what's it doing?" or "is it working?". Well if it is working you might not ever know. If you are running a web server and it has just been staying up, then you might not know a couple of exploits were even tried against your system.

As for Government, there are public sources (listing of government projects and the like) that seem to point to that MAC (Mandatory Access Control, ie SELinux) is being used, and possible quite heavily. Government systems, depending on deployment and what information a system holds, have to meet certain criteria before being used.

As for private companies, I don't know. If they need the integrity that SELinux brings to the table, then they should.

In the end security is really risk management and choosing the right level of effort. Also security is an on going effort, not something you merely turn "on"

A lot of shops that I know of, would like to use SELinux, but are not able to. Many vendors that build their products for RHEL, for example, explicitly require SELinux to be shut off. As long as joints like Oracle do not properly support SELinux, I don't see it taking off big time, except on web servers (on which I would always leave it on!) SELinux isn't that complicated anymore. If you look at RHEL4 and RHEL5 and compare how complicated SELinux is on both, the difference is huge. If you compare Fedora 11 to RHEL5, the difference is huge again. Big strides are made, but as long as guys like Oracle think SELinux is not worth supporting, you'll keep seeing a lot of people turning it off.