Quote Originally Posted by Rexilion View Post
You also have to look at the other side, i.e. the distribution. It has to setup infrastructure to verify and sign every binary that passes. And who says that distributions have proper security mechanisms preventing the keys from being stolen/abused? Even kernel.org got hacked. Why not some random server from Ubuntu?
RedHat, Novel oder Canonical can easy setup an Infrastructure for there Distributions.

Quote Originally Posted by Rexilion View Post
As for configuration, you can assert that for every defense mechanism.
But its much much easer to Sign an program as to write an complete and secure selinux policy for each (!) program.