Hi Robert, Thanks for your response. On 10/09/15 13:02, Robert Moskowitz wrote: > I went through the chroot/selinux review when Centos6 came out. I went with selinux and no chroot. > > I don't have too much of an issue with systemd; I am learning it as I go. I must admit that I'm not that perturbed by systemd either. Reminds a little of Solaris SMF. > > I am putting up a Samba4 AD with Bind-DLZ backend. The Samba wiki explicitly calls out no chroot > and kind of explains why. Yes, I have already set this up on a CentOS 6 instance and have that working. But that is on a private network. The subject of this post relates to a public facing name server so it's a little more exposed. Some people would argue that chroot isn't a security mechanism. > > so I come out on the selinux side. My feeling is that selinux should be enough security. Anyone else care to comment? > > On 09/09/2015 09:09 PM, Tom Robinson wrote: >> Hi All, >> >> I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's >> opinions on chrooting vs selinux as a way of securing bind. >> >> The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets >> up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy >> giving: >> >> /var/named/chroot/var/named/chroot/var/named >> >> which seems totally unnecessary. >> >> I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be >> loosing anything in terms of security? >> >> Also, would I bother with chrooting at all if selinux can secure the environment for me? >> >> My own opinions aside what do others think and has anyone had experience with this? >> >> Kind regards, >> Tom >> >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS@xxxxxxxxxx >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos