On Mon, 10 Nov 2008, yersinia wrote: > But many people disable Selinux, so it is always better to have a secure > alternatives - Selinux is better IMHO and it is possible > to do "chroot" better with selinux ( > http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html > ) The question is, is it worth the hassle of maintaining the chroot. This is important for both named and unbound as they will be able in the near future to include dnssec keys, which will be provided by a different package. So one has to update the chroot when a "third party" package updates itself. I'm currently doing this with the unbound nameserver, but it is quite ugly. Paul -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
