Todd Zullinger wrote:
And, of course, on top of compiler options and firewalls, SELinux is
one more layer that is added to protect against problems in upstream
code. If upstream code has some hole that tries to mail off
/etc/passwd somewhere, this is very likely to be denied by SELinux.
And when someone reports the denial, Dan, Miroslav, and the other
SELinux maintainers aren't too likely to allow it without asking what
good reason the upstream code would have to take such an action.
SELinux will not help you more if it gets overwritten/rootkited by
malicious RPM package (for instance during the install process).
You execute rpm install as root, don't you.
STF
=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
=======================================================================