I went through the chroot/selinux review when Centos6 came out. I went
with selinux and no chroot.
I don't have too much of an issue with systemd; I am learning it as I go.
I am putting up a Samba4 AD with Bind-DLZ backend. The Samba wiki
explicitly calls out no chroot and kind of explains why.
so I come out on the selinux side.
On 09/09/2015 09:09 PM, Tom Robinson wrote:
Hi All,
I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's
opinions on chrooting vs selinux as a way of securing bind.
The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets
up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy
giving:
/var/named/chroot/var/named/chroot/var/named
which seems totally unnecessary.
I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be
loosing anything in terms of security?
Also, would I bother with chrooting at all if selinux can secure the environment for me?
My own opinions aside what do others think and has anyone had experience with this?
Kind regards,
Tom
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos