Browsers are a problem , take a look at the firefox apparmor profile.
I think the only answer there is to not use them for such diverse activity, I don't.
Convenience and security are often at odds. Sure it is nice for flash to "just work", but not so nice to be pwned by flash.
For an example of what selinux will do for you:
1. I confine all my users with selinux.
2. See selinux sandbox.
http://blog.bodhizazen.net/linux/selinux-sandbox/
3. SELinux (and apparmor) can indeed be effective against some zero day exploits
http://danwalsh.livejournal.com/45194.html
https://media.blackhat.com/bh-us-11/...oid_Slides.pdf
But not all, for example, the recent BIND exploit.
http://cve.mitre.org/cgi-bin/cvename...=CVE-2011-4313
I do not think MAC (selinux or apparmor) would help with that ^^
Bookmarks