Secured against disaster: Governments look to Linux to avoid viruses

Source: News Forge

SELinux employs an access control system that uses data types and a variety of rules-based enforcement protocols as a means for setting up both confidentiality and integrity rules on user systems. The result is a highly flexible, yet highly secure system with enforcement rules embedded into a discrete "security server." The server contains the policies for each type of data and on each each type of data acts on another piece of data. SELinux revalidates the security permission schema for each file type each time it is used.
The result is that a virus cannot succeed in a SELinux system. In the unlikely event that a virus could even be introduced into an SELinux-based system, and then executed, the virus should not be able reproduce onto an executable file.

In theory, this shouldn't happen because Unix programs shouldn't have more than read or write permissions anyway, but in this case, SELinux would also prevent propagation of the virus because the reach of each program executable is restricted to its own "type." Therefore, any of the executables that would normally be targets for the virus are effectively walled off. Even attacking the root won't have an effect on the policies structure. The system may not be foolproof, but as a secure, intelligently configured alternative it beats traditional Unix configurations, and it beats Windows hands down.

Perhaps your company doesn't think replacing Windows with Linux is worth the hassle. But if their systems crashed because of Code Red or Systran or Goner -- or perhaps all three, have them take a look at SELinux, and -- have a conversation."