>A more sensible approach is to build application profiles like you do >for SELinux, and build in a mechanism to easily shutdown alerts at the >root if the admin thinks the specific pattern behavior of an application >is ok. SE Linux is one feed of data into the analysis. It does a good job of letting you know if the program suddenly wants to make syscalls or access resources that it hasn't in the past. But some attacks are within the behavior that SE Linux says is OK. At that point you are relying on other detectors for abnormal conditions like FORTIFY_SOURCE and stack-protector. This is what I'm really after and not abort() called by programmers. Its just unfortunate there is not a way to distinguish the two uses. -Steve ____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list