On 08/19/2014 11:20 AM, Tomasz Torcz wrote: > On Tue, Aug 19, 2014 at 10:12:31AM -0500, Chris Adams wrote: >> Once upon a time, Tomas Hozza <thozza@xxxxxxxxxx> said: >>> That's where seccomp kicks in, it acts as a 2nd wall of defence. In case >>> of a security hole being present in the server process, it goes further >>> than a chroot, it prevents the attacker from making socket connections >>> orexecuting his code, as his "playing field" is significantly reduced. >>> There's very little he can do.” >> How is that different from an SELinux policy? How is the additional >> resitrction handled (if it isn't SELinux, what mechanism is used to do >> the restriction)? > The mechanism is called ”seccomp” – http://en.wikipedia.org/wiki/Seccomp > Seccomp can add additional security features to SELinux by eliminating certain syscalls. I think using both SELinux and seccomp is a good idea. Security in Depth. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct