Doing some research: on what devices or Linux distros is SELinux enabled by default, besides Android devices?
Conversation
Replying to
Fedora and RHEL but they do drastically less with it than Android and it's not really at all comparable. Android is heavily designed around it and every user-installed app goes into a unique instance of a highly restrictive domain. It uses it for ioctl filtering, etc. too.
1
1
1
Android uses MLS in addition to MAC. Apps run with a per-user, per-app MLS security level. It also uses it for enforcing IPC security policies including via userspace enforcement. It's not an additional security layer. It's core to the privacy and security approach throughout.
It's not because Fedora / RHEL are doing SELinux wrong but because they don't have a well-defined base OS developed together with SELinux as a core part of it.
It's a drastically different beast when every app has to target a well-defined sandbox and the OS is built around it.
1
1