Vincent's point is the right one I think. We need to deploy security "in depth". Every single setuid executable should be SHIPPED protected, just pick your style of protection.
SElinux should be shipped enabled like Redhat does. Think it's too hard to administer? Then ship it with multiple models implemented in multiple rule sets like Redhat does. Then you can choose your style of mandatory access control with a mouse click at installation.
$ firejail --profile="" ls
Reading profile /etc/firejail/firefox.profile
[...]
Error: execute permission denied for /usr/bin/pkexec
Error: no suitable pkexec executable found
> Servers don't have browsers installed on them, for exactly this reason.
Servers shouldn't have pkexec installed in the first place, anyway.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)