Quote Originally Posted by Dangertux View Post
To clarify I meant the 99% statement to be without MAC -- so you probably do agree with me just not the way I worded it lol.

I would certainly hope mandatory access controls do something in terms of 0 day since that's pretty much the only reason people use them. Though when you start talking about browser exploitation and other client side attack vectors the game changes considerably, as most client side apps need access to whatever is the target in the first place. So 0day still has a good chance of owning you.
Browsers are a problem , take a look at the firefox apparmor profile.

I think the only answer there is to not use them for such diverse activity, I don't.

Convenience and security are often at odds. Sure it is nice for flash to "just work", but not so nice to be pwned by flash.

For an example of what selinux will do for you:

1. I confine all my users with selinux.

2. See selinux sandbox.

http://blog.bodhizazen.net/linux/selinux-sandbox/

3. SELinux (and apparmor) can indeed be effective against some zero day exploits

http://danwalsh.livejournal.com/45194.html

https://media.blackhat.com/bh-us-11/...oid_Slides.pdf

But not all, for example, the recent BIND exploit.

http://cve.mitre.org/cgi-bin/cvename...=CVE-2011-4313

I do not think MAC (selinux or apparmor) would help with that ^^