Mike McCarty wrote:
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
From a very recent security update for httpd. Update Information: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Fedora if using the default SELinux targeted policy. Just a passing example. Jim
