SELinuxにLocal root ExploitのZERO-Dayが出ている模様。SELinuxが有効でもだと、まずいみたい。

/* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun
   A vulnerability which, when viewed at the source level, is unexploitable!
   But which, thanks to gcc optimizations, becomes exploitable :)
   Also, bypass of mmap_min_addr via SELinux vulnerability!
   (where having SELinux enabled actually increases your risk against a
    large class of kernel vulnerabilities)

   for 2.6.30 without SELinux enabled, compile with:
   cc -fPIC -fno-stack-protector -shared -o exploit.so exploit.c
   (on a 64bit system -m64 may be necessary to compile a 64bit .so)
   cc -o pwnkernel pwnkernel.c
   then just ./cheddar_bay.sh
   for 2.6.30 with SELinux enabled, compile with:
   cc -fno-stack-protector -o exploit exploit.c
   then just ./exploit

   for RHEL5 2.6.18 compile with:
   cc -fno-stack-protector -DRHEL5_SUCKS -o exploit exploit.c
   then just ./exploit

以下、熊猫さんよりタレコミいただきました、ありがとうございます

http://lkml.org/lkml/2009/7/20/361 の中に説明がありますが、

> With SELinux mapping the 0 page requires an SELinux policy permission,
> mmap_zero. Without SELinux mapping the 0 page requires CAP_SYS_RAWIO.
> Note that CAP_SYS_RAWIO roughly translates to uid=0 since noone really
> does interesting things with capabilities.

> But logged in users (by default), under SELinux, are 'unconfined' and
> can by their very nature run their program in a domain that allows
> mmap_zero.