[CentOS] SELinux - way of the future or good idea but !!!

Christopher Chan christopher.chan at bradbury.edu.hk
Mon Nov 29 08:15:27 EST 2010


On Monday, November 29, 2010 08:50 PM, Marko Vojinovic wrote:

> Well, the kernel I used at the time had a known exploit (exploitable by some
> services I was running), and the intruder got advantage of that. Of course, it
> was partly my fault, because I didn't restart those machines for a long time,
> so the updated kernel wasn't running on them.
>
> So yes, I agree, if I took good care of the rest of the system nothing serious
> would have happened. But in this particular case SELinux saved my skin, since
> the third machine could take the load from the first two while these were
> kickstarted by a friend of mine... :-)
>

There is also the case of recently discovered exploits. Like the one in 
phpmysqladmin that was made known in September. Okay, the HQ chap was 
inept in allowing anybody to access phpmysqladmin imagining that the 
password protection was sufficient and at the same time allowing access 
to setup.php from anyone on the Net so he could have prevented it the 
whole thing in the first place without the protection of SELinux. But 
had he had SELinux running, it could have foiled the upload of the bot 
and subsequent execution.


More information about the CentOS mailing list