|
Hello, Please read about SELinux here: http://selinuxproject.org/page/FAQ MAC in case of SeLinux or DAC (Discretionary Access Control) are there to control the extent of which a user or process can access or interact with resources. They by nature may sandbox an attack, but are not there to stop malware attacks. They may mitigate some of them like this one: (Exactly serving one of its purposes) CVE-2016-9962 docker: insecure opening of file-descriptor allows privilege escalation: http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/ Mitigating is not stopping, you still need to patch the vulnerability, and it is not necessarily for all kind of malware or cases of malware, it depends on malware , your setting, the environment and etc. You may not deploy Selinux and think you stopped all attacks, it is just false sense of security. P.S. With Special thanks to Dan Walsh of RedHat Best regards, -- Patrick K. On 9/21/2017 12:13 AM, masoom alam
wrote:
|
