Hello,

Please read about SELinux here:

http://selinuxproject.org/page/FAQ


MAC in case of SeLinux or DAC (Discretionary Access Control)  are there
to control the extent of which a user or process can access or interact
with resources.

They by nature may sandbox an attack, but are not there to stop malware
attacks.
They may mitigate some of them like this one: (Exactly serving one of
its purposes)

CVE-2016-9962 docker: insecure opening of file-descriptor allows
privilege escalation:

http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/


Mitigating is not stopping, you still need to patch the vulnerability,
and it is not necessarily for all kind of malware or cases of malware,
it depends on malware , your setting, the environment and etc.

You may not deploy Selinux and think you stopped all attacks, it is just
false sense of security.

P.S. With Special thanks to Dan Walsh of RedHat


Best regards,
--
Patrick K.

Probably one of the better catalogued set of malware stopped by SELinux,
which shows various ways SELinux mitigated the attacks, is The Case For
SEAndroid from Stephen Smalley:

https://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf

Android has tried to document pretty extensively how the reduction of
attack surface provided by SELinux has resulted in a significant
percentage of bugs being unreachable.

See, for example
https://www.blackhat.com/docs/us-17/thursday/us-17-Kralevich-Honey-I-Shrunk-The-Attack-Surface-Adventures-In-Android-Security-Hardening.pdf
slide 52, where 44% of our security bulletin class bugs are reduced in
severity because of SELinux attack surface management.

However, SELinux's primary goal isn't attack surface management
(although it's very good at it). It's primary purpose is containment
and being able to reason about the state of the system assuming a
compromise of any component. If SELinux stops a malware author, that
malware author will simply choose to not publish their non-working
code. Most people, including malware authors, will only celebrate
their successes, but won't publicize their failures. Measurements in
this area are hard.

-- Nick

I wrote this:

https://www.reddit.com/r/selinux/comments/1xcb1t/selinux_saved_our_asses/

I have various other similar stories. And then there's this:

https://doublepulsar.com/hardening-apache-struts-with-selinux-db3a9cd1a10c