On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote: > Chroot is good and traditional method how restrict daemons. Many users > still use it and it is far more easy create chroot configuration than > create/maintain SELinux policy. I don't think SELinux obsoletes > chroot, both try restrict daemon privileges and both have + and -. chroot isn't a security feature. It helps for some non-root cases but there are ways out of chroots and there are all sorts of fun things that can be used to escape a chroot in the right circumstances. Its also inadequate for some forms of attack. If I can persuade your named to run code of my choice in a chroot without selinux then I can still use your box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all without breaking the chroot. In the SELinux case a lot of those actions will hit SELinux denials. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
