two paragraphs below what you quoted I acknowledged exactly what you
state. however since you must tag everything before you turn on any
security it seems to me that you have to define everything, which is a
similar amount of work as you would have to do for a default allow policy.
Ok, it sounds as if I did misunderstand SELinux. I thought that by
labeling the individual files you couldn't do the 'only restrict apache'
type of thing.
for AA you don't try to define permissions for every executable, and ones
that you don't define policy are unrestricted.
so as I understand this with SELinux you will have lots of labels around
your system (more as you lock down the system more) you need to define
policy so that your unrestricted users must have access to every label,
and every time you create a new label you need to go back to all your
policies to see if the new label needs to be allowed from that policy
is this correct?