On Tue, Dec 30, 2014 at 04:07:25PM -0600, Valeri Galtsev wrote:
So, my question is: can someone design attack scenario which would be successful if it were not for SELinux, and which is thwarted by SELinux. Note that the fact that script kiddie just forgot to put as a first line
/usr/sbin/setenforce 0
doesn't make such example a solid case pro SELinux for me.
If this attack scenario is attacking a service running as root (which would be required to setenforce 0), it'd still be prevented as long as the service runs in a confined domain that would have rules to stop it (which most services have, for obvious reasons).
This is one of the reasons why its best to run the packaged software, in standard locations. Running apache from /usr/local/apache-1.2.3/sbin/httpd instead of /usr/sbin/httpd would mean it would be missing the wrong context and wouldn't have all the built-in protection included in the SELinux httpd policy.