It did really take off about 5 years ago.

I would go a step further and say that any time one of these MAC systems has to resort to user interaction to do its job, it’s a straight up failure case: the system simply didn’t have enough information to do its job, ended up doing no better than a blanket “block everything” config, and is asking the user to do 100% of the heavy lifting of determining what should happen.

So, when I hear

If someone is lazy or not knowledgeable enough to make the right decision…No automated system can protect [them].

I hear: “every access control system is fundamentally broken”. Which is fine, maybe that’s true, there’s a reason social engineering is so useful. So then all these systems should prioritize streamlining that failure case as much as possible: Tell the user what is accessing what, when, how, and then make it trivial to temporarily (with well defined limits), permanently, (or even volatile-y using CoW/containerization/overlay fs) grant or deny access as quickly and easily as possible.

Every other system you’re comparing SELinux, AFAIK, handles this case better, which is why users tend to prefer them.

For the record, I’m not arguing that SELinux is bad at the actual access control part, I’m only answering why people don’t like using it, which is how it handles the failure case part. Now it’s been a while since I’ve used SELinux and I’ve never used setroubleshooter, but if you tell me it actually streamlines all of this to be smoother than every other tool, then I’ll install it tonight!

How do you know when you’re letting through a valid access, an unnecessary one that could be a vulnerability, and an actively malicious one?

I don’t think anyone is saying throw out all access control, they’re just saying SELinux adds too much unproductive friction for everyday usage. You said it takes 15m to troubleshoot. But that’s not a one time thing, that’s 15m that scales with the amount of new programs and updates you’re running. And 90% of people aren’t even going to be able to tell they’re looking at a malicious access if they’re in the habit of always working around blocks that show up.

Ah that’s fair, I didn’t look closely

Is this running in your rc (i.e. every single time you open a terminal)? Even if it’s safe, I’d be annoyed by any delay.

So, when you say crippled kernel, do you actually mean you tweaked the kernel params/build to the point that it failed to boot? Or do you just mean you messed up some package config to the point that the normal boot sequence didn’t get you to a place you knew how to recover from and need to reinstall from scratch?

I think I’m past the point where I need to do a full reinstall to recover from my mistakes. As long as I get a shell, I can usually undo whatever I did. I have btrfs+timeshift also set up, but I’ve never had to use it.

We’re talking about maybe a day of my life over 20 years ago lol. I remember it being taught that it happened, but I honestly don’t remember if they emphasized how desperate for survival they were. I think it’s easy for some Americans to associate “Donner Party” with “crazy man-eating lunatic cult of the wild west” due to only retaining surface-level information on the topic.

AFAIK everyone in the US learns about this as part of their middle school curriculum.

As i understand it, the OEM business has razor thin margins as it is. This seems like an aggressively unsustainable business practice, to the point that it’s making me wonder what their game is…

You’re describing a 1/10 sports game. We’re talking about 10/10 sports games.

I would rather play NBA jam on SNES than any 7/10 RPG.

On top of all the other informative comments answering a plethora of questions you understandably have when entering the Linux ecosystem, I want to express: don’t feel like you need to learn all this stuff if it doesn’t interest you, or otherwise turns you off the idea of Linux.

It’s perfectly fine to ignore all the terminology, install whatever new-user friendly version of Linux you can, and just start using it. If it’s not to your taste, or it asks too much of you, maybe try a different one. But I’m of the firm belief that immediately inundating a new user with a bunch of new vocab and unfamiliar workflows is the mark of a bad new user experience, and you shouldn’t feel required to put up with that.

The fact is, unlike MSFT who has a bunch of terminology internal to the windows dev teams, Linux is developed in the open, so all the terminology leaks into the user world too. And you just need to get good at saying, “if this doesn’t help me use my PC better for what I need it to do, I don’t care”.