On Nov 28, Christoph Hellwig <hch@lst.de> wrote:
It's just a bad idea of a security model that implements ad-hoc
and mostly path based restrictions instead of an actually verified
security model. Using that by default makes it much harder to actually
use a real MAC based security model, which not only is required for
various security sensitive deployments but also a good idea in general.
This may be true, but OTOH nobody cared enough about SELinux to actually
make it work out of the box in Debian.