I'm not sure when the last time you used Linux was, but SELinux is enabled by default on
Fedora and RHEL (and others I'm sure, but I haven't checked). Your usage argument doesn't
apply anyways, since it doesn't come into play when labeling bugs as security-related for
obscure hardware which may only affect a tiny number of users (much much smaller than the
number of users of SELinux). Either these bugs need to be taken seriously (and they have in
the past, so I'm not sure why this one was declared a non-issue) or people need to be told
that SELinux is completely worthless against preventing complete compromise as any root-based
vulnerability that can totally subvert its security isn't considered a security bug and thus
won't be backported to any distribution-maintained kernel.
Generally when a kernel bug is identified as security-relevant, someone creates a CVE for it.
The problem in this case was the committer (Al Viro) knew of the security relevance of the bug
but covered it up in his changelog, which resulted in it getting covered up at the -stable
level. Now tell me how any distribution is supposed to know to backport this security fix if
for this 220.127.116.11 release, as with the 18.104.22.168 release with silently fixed vulnerabilities,
no security implications whatsoever are mentioned?
I don't know about the one that didn't make it into -stable, I was just pointing out that it
belongs to the class of trivially exploitable bugs. I'm sure when it makes it into -stable
(if it does), its exploitability will again be covered up.