Linux Journal have published an interesting article, Mambo Exploit Blocked by SELinux, by Richard Bullington-McGuire.

Mambo is a CMS written in PHP. At some point, the code was vulnerable to a worm, which breached Richard’s system. His article details how this breach was both detected and contained with SELinux, as configured with the default targeted policy under RHEL4.

It demonstrates one of the core goals of SELinux, which is to prevent flawed software from being exploited by malware. In this case, the payload was delivered into the system via a third party PHP application, but was then prevented from doing any damage.

The article is also useful generally as an example of computer forensics procedures.