[CentOS] can't enable selinux CentOS 6.5

Wed Dec 31 04:12:36 UTC 2014
Jonathan Billings <billings at negate.org>

On Tue, Dec 30, 2014 at 04:07:25PM -0600, Valeri Galtsev wrote:
> So, my question is: can someone design attack scenario which would be
> successful if it were not for SELinux, and which is thwarted by SELinux.
> Note that the fact that script kiddie just forgot to put as a first line
> 
> /usr/sbin/setenforce 0
> 
> doesn't make such example a solid case pro SELinux for me.

If this attack scenario is attacking a service running as root (which
would be required to setenforce 0), it'd still be prevented as long as
the service runs in a confined domain that would have rules to stop
it (which most services have, for obvious reasons).

This is one of the reasons why its best to run the packaged software,
in standard locations.  Running apache from
/usr/local/apache-1.2.3/sbin/httpd instead of /usr/sbin/httpd would
mean it would be missing the wrong context and wouldn't have all the
built-in protection included in the SELinux httpd policy.

-- 
Jonathan Billings <billings at negate.org>