Re: bind chroot, bind mounts and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi Robert,

Thanks for your response.

On 10/09/15 13:02, Robert Moskowitz wrote:
> I went through the chroot/selinux review when Centos6 came out.  I went with selinux and no chroot.
>
> I don't have too much of an issue with systemd; I am learning it as I go.
I must admit that I'm not that perturbed by systemd either. Reminds a little of Solaris SMF.

>
> I am putting up a Samba4 AD with Bind-DLZ backend.  The Samba wiki explicitly calls out no chroot
> and kind of explains why.
Yes, I have already set this up on a CentOS 6 instance and have that working. But that is on a
private network. The subject of this post relates to a public facing name server so it's a little
more exposed.

Some people would argue that chroot isn't a security mechanism.

>
> so I come out on the selinux side.

My feeling is that selinux should be enough security.

Anyone else care to comment?


>
> On 09/09/2015 09:09 PM, Tom Robinson wrote:
>> Hi All,
>>
>> I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's
>> opinions on chrooting vs selinux as a way of securing bind.
>>
>> The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets
>> up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy
>> giving:
>>
>> /var/named/chroot/var/named/chroot/var/named
>>
>> which seems totally unnecessary.
>>
>> I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be
>> loosing anything in terms of security?
>>
>> Also, would I bother with chrooting at all if selinux can secure the environment for me?
>>
>> My own opinions aside what do others think and has anyone had experience with this?
>>
>> Kind regards,
>> Tom
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux