Re: bind vs. bind-chroot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 04/13/2017 12:11 PM, Leon Fauster wrote:
Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev@xxxxxxxxxxxxxxxxx>:


On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote:
Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :
But make sure to have SELinux enabled if you do not run it chrooted.

I have mine running that way.
I bluntly admit not using SELinux, because until now, I mainly used more
bone-headed systems that didn't implement it. Maybe this is the right
time to get started.
Another alternative with at least same level of security, though not
giving me any trouble I hear people sometimes have with SELinux is to run
services in separate jails (or other containers) - with base system
mounted inside jail read-only (I use FreeBSD jails - apologies for
mentioning, but Linux experts here can suggest fair Linux equivalent).

bind-chroot is a subpackage and quite straight forward (yum install bind-chroot).
No need to handle jails and there environment updates when the base system
gets updated (we use rpms trigger scripts for that).

Correct, no real need for creating something special, bind-chroot has been around for years and just works. Before SELinux it was what we did. My last DNS server was Redsleeve 6 that I could not get SELinux working, so I just ran chroot. Now I have Centos7-arm with SELinux so no chroot.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux