If you are building a static system, SELinux is amazing. You need a few lines of policy per application to label things appropriately, then you can see what accesses programs made and decide if you want to allow them or not.

Taking a full Linux system and adding a locked down SELinux policy can be done in less than a week. If you are starting with an SELinux enabled system and just want to lock down your application, it can be done in less than a day.

Once you know what you are doing, there is also a pretty powerful policy analysis tool that lets you see what a given domain can do; including transitive things like “domain sandbox_t can launch a program in Domain vim_t, which can write a file in Domain sshd_config_t, which can be read by domain sshd_t” which may indicate that your sandbox has a hole allowing it to compromise your sshd configuration. Although, to be fair, doing this level of analysis is not simple, even with the tooling. And you very quickly notice issues that are inherent in how Linux works.

The problem with SELinux comes when you try applying it to general purpose systems, because you do not know ahead of time what the user will want to do. To be effective, policy needs to be written for the specific system it will be running on.

An example I like to use is Android. Android makes great use of SELinux, and is a general purpose system. But the SELinux policy itself does not protect the general purpose Android system. It protects the special purpose system that is the Android runtime. All apps run with the same policy that says things like “cannot access the filesystem at all, unless given access by the Android runtime”, then the actual security policy users see is all implemented in use space by Android. SElinux is just a means of preventing apps from bypassing the Android permission system.

Also, AppArmor might not exist without SELinux.

When the NSA first implemented SELinux, they did so directly, but were not able to get that merged into mainline because there was concern that SELinux was not the correct solution.

What they ended up doing was creating the Linux Security Modules (LSM) framework, which is just a bunch of hooks in the kernel that a module can implement. SELinux was then rewritten as LSM module. This allowed other solutions like AppArmor to be implemented without any invasive work; they could just plug into the same system SELinux used.

Some time later, the ability to run multiple LSMs at once was added.

Incidentally, Linux capabilities are also implemented as an LSM.

A typical employee would have taxes taken out of every paycheck. Employers calculate that assuming they are your only source of income and you have nothing interesting going on tax wise, which is correct for 90% of people. Employees can ask for their income tax withholding to be changed and employers will do so no questions asked [1]. At the end of the year, you’re employer will give you a form W2 that says how much they payed you, how much they paid in taxes on your behalf, how much they payed into your tax deductible account on your behalf, etc. Basically everything about your job that is tax relevant. A copy of this W2 form is sent to the IRS.

If you have investment accounts, work as an independent contractor, or various other forms of income, you will generally be given a form 1099. Again, a copy of this will be sent to the IRS. Income tax is not automatically withheld from these, so if you get a lot of income through them, you may owe taxes at the end of the year.

You may also qualify for tax deductions that lower your effective income for the purposes of computing your income tax. For instance, the interest on you mortgage, charitable donations, etc. However if you choose not to claim these, you can instead claim a deduction of about $14,000; which is more than most people would be able to deduct anyway, so there often isn’t a point of keeping track of these.

There are a couple of less common situations that you may need to deal with

1. You can deduct significantly more than the standard deduction, so actually need to keep track of all of your possible deductions.

2. You are self employed. In this case, you need to keep track of your business expenses, as those are deductible. You also do not have anyone taking out your income tax for you, so you are responsible for making sure you have enough saved come tax time (these tend to be the people who have problems). You are also supposed to pay taxes quarterly.

3. You have a significant amount of income that is not from a single W2 employer. This can be multiple W2 jobs, 1099 jobs, investment income, proceeds from criminal activity, etc.

4. You make a significant amount of money from unreported cash tips. (In practice, you can underreport this and no one will know).

5. You choose to deduct your state’s sales tax instead of your states income tax; and do so by actually tracking how much you pay in sales tax instead of estimating it based on your income.

Having said all of that. For 99% of taxpayers, the IRS knows exactly how much you owe; because all of your income was reported to them, as was your only significant deductions, and nothing else matters because you just take the standard deduction for the rest. The IRS could send you a bill/refund based on this and let the remaining 1% file if the IRS gets it wrong. However, that would collapse the tax preparation industry, so companies like TurboTax have lobbied against it for years.

What actually happens instead is you go to TurboTax, upload all of the forms that were sent to the IRS, and let them file taxes on your behalf. This service was “free” until they were sued for false advertising on account of charging money.

[0] At least for income tax. There’s a few other taxes on payroll that you cannot change.

[1] Assuming you asked in the form of a properly filled out W4.

Not sex related, but I learned it in sex ed. Most males do not have a big depression in their chest. Turns out that the males in my family happened to have a condition known as Pectus Excavatum.

I had the good fortune of meeting a couple of board game nerds before getting into the hobby myself. They had a seperate insurance policy specifically for their games.