I think a lot of people will disparage and mock Dan (FYI he is a core SELinux developer for Fedora if you do not know), but I think he outlines that it does prevent the medium risk stuff which I think no base Linux system (without MAC systems (SELinux, RBAC, AppArmor,etc.), just DAC of Unix file permissions) would let pass easily. All the logs, all the non-root data which hackers would use to build up to move forward in their operation.<p>I guess CGI scripting is convenient and necessarry for most of us (just like bash itself), and SELinux did not prevent Heartbleed either. But that does not mean I will make coloring jokes about its inefficacy.
I'm a big fan of SELinux, and for many shellshock attacks it will limit exposure, but Dan should know better than invite people to ask him how SELinux helps mitigate a dchp shellshock attack...
Big fan of SELinux here - it's really saved my ass a few times and the best thing about it is that these days it's so damn easy to configure that you're mad not to use it.
<p><pre><code> Lets look at what it can read.
... It can read apache static content, like web page data.
Well what can't it read?
user_home_t - This is where I keep my credit card data
*db_t - No database data.
</code></pre>
So, it can't read database data directly, but presumably your website can already connect to the database. Which means it can read out your database credentials, and just connect to the database?
There are lots of stories of SELinux saves out there now. This is one I saw just recently:<p><a href="https://www.reddit.com/r/linux/comments/1xdokz/selinux_saved_our_asses_xpost_rselinux/" rel="nofollow">https://www.reddit.com/r/linux/comments/1xdokz/selinux_saved...</a><p>I myself have had several SELinux saves. It's definitely proven itself valuable as an additional security control.