On Wed, Dec 1, 2010 at 12:52 AM, Geoff Galitz geoff@galitz.org wrote:
I would guess no one knows. But all of my CentOS installs are OOB as concerning SELinux, except the two scalix installs, which have some custom 'stuff' thanks to the scalix instance naming.
All I know is at the last two companies I worked at - AT&T, a small team building software for the NOC, a smaller root CA, and here at the federal agency I'm at, we either turned it off, or have it set to permissive.
I disabled it on the last 1000 hosts *I* installed....
Hmmm... it would be interesting take some Centos systems with production like deployments (say 3 with SELinux and 3 without) and ask a professional pen-tester to try to get into them.
Anyone willing to contribute funds (or time) to such a study? It would be educational experience and good PR, at the least.
Oh, I know the holes and which would be straightforward to get to. There's generally enough lower hanging fruit with NFS stored passwords, email with passwords, and poorly managed elevation via SSH keys as policies before I even got there that this protection is like putting a bike lock on a jello mold.