>> 2. I read about the possibility of keeping processes from forking. >> Wouldn't you consider this as a protection from DoS attacks? > > That could be effective in this case (as would resource limits), but > SELinux is not generally designed to counteract DoS attacks. SELinux has the theoretical (has anyone done this yet) ability to take away "fork" from an entire process context, ie. killing all your webservers. This isn't really protection so much as something you can do in reaction to an attack. Resource limits on the other hand actually provide a protection to this. Then again you can also just use kill at that point. In response to your first question of what sort of attacks are inhibited the simple answer is that SELinux is a way of enforcing the intentions of application designers. In that sense SELinux doesn't prevent any application from being exploited it simply prevents exploited applications from doing anything they can't do anyway. The current fedora default policy targets servers as there a major source of exploits and usually behave in fairly standard ways, at least compared to user applications. Chris Pardy -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
