bind-chroot obsolete due to SElinux?
Paul Howarth
paul at city-fan.org
Sat Mar 4 21:13:34 UTC 2006
On Sat, 2006-03-04 at 15:14 -0500, Jason Vas Dias wrote:
> On Saturday 04 March 2006 14:49, Ivan Gyurdiev <ivg2 at cornell.edu> wrote:
> >
> > > Yes
> > >
> > > There's no protection provided by bind-chroot that is not provided by running
> > > named with SELinux in Enforcing mode.
> > >
> > I have my doubts about that.
> >
> > A chroot jail allows you to easily see what bind can and cannot do.
> > SElinux requires analysis of policy to accomplish the same thing.
> Not so - any infractions by named are clearly logged, which would not
> be the case if running in bind-chroot with SELinux disabled.
Those of us brought up around having layers of security will no doubt
continue to use both SELinux and chroot.
However, I think deprecating chroot in favour of SELinux at this time is
a bit premature. There are large numbers of users that habitually turn
off SELinux at the first hint of problems because they just can't get
their heads around it to fix issues they have with it. Setting up bind
in a chroot is relatively straightforward and people can follow recipes
they find on advice sites. Getting a system working happily with SELinux
(particularly for those people that like to put files in unusual places)
is a much bigger task for them to accomplish and many give up easily.
Paul.
More information about the fedora-devel-list
mailing list