On Mon, 2013-04-15 at 09:12 +0100, Richard W.M. Jones wrote:
which I interpret to mean that after using -fstack-protector-all and
removing prelink, SELinux would become obsolete because no executable
can be exploited.
No; there are plenty of exploits which aren't due to buffer overflows.
Particularly in the era of web applications; a lot of people just toss
up a Django or Ruby on Rails app, but it's *so* easy in those frameworks
to have a bug that allows arbitrary code execution in the context of the
service.
SELinux is a good match for these sorts of apps, we just don't
have the management tools and documentation to make it easy for web
application authors to use.