[CentOS] SELinux - way of the future or good idea but !!!
christopher.chan at bradbury.edu.hk
Mon Nov 29 08:15:27 EST 2010
On Monday, November 29, 2010 08:50 PM, Marko Vojinovic wrote:
> Well, the kernel I used at the time had a known exploit (exploitable by some
> services I was running), and the intruder got advantage of that. Of course, it
> was partly my fault, because I didn't restart those machines for a long time,
> so the updated kernel wasn't running on them.
> So yes, I agree, if I took good care of the rest of the system nothing serious
> would have happened. But in this particular case SELinux saved my skin, since
> the third machine could take the load from the first two while these were
> kickstarted by a friend of mine... :-)
There is also the case of recently discovered exploits. Like the one in
phpmysqladmin that was made known in September. Okay, the HQ chap was
inept in allowing anybody to access phpmysqladmin imagining that the
password protection was sufficient and at the same time allowing access
to setup.php from anyone on the Net so he could have prevented it the
whole thing in the first place without the protection of SELinux. But
had he had SELinux running, it could have foiled the upload of the bot
and subsequent execution.
More information about the CentOS