Comment 20 for bug 634183

Creating a partition that contains _ONLY_ setuid/setgid binaries
not only makes finding _ALL_ setuid/stegid programs trivial,
but also prevents hardlinks without the necessity of chatter.

Either chattr all setuid/setgid programs, or isolate on a separate
partiotion preventing xdev hardlinks are intrinsically sounder
approaches then pasting CVE's against RPM