End of bind-chroot-admin script
Alan Cox
alan at redhat.com
Mon Nov 10 11:58:38 UTC 2008
On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote:
> Chroot is good and traditional method how restrict daemons. Many users
> still use it and it is far more easy create chroot configuration than
> create/maintain SELinux policy. I don't think SELinux obsoletes
> chroot, both try restrict daemon privileges and both have + and -.
chroot isn't a security feature. It helps for some non-root cases but there
are ways out of chroots and there are all sorts of fun things that can be
used to escape a chroot in the right circumstances.
Its also inadequate for some forms of attack. If I can persuade your named to
run code of my choice in a chroot without selinux then I can still use your
box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all without
breaking the chroot.
In the SELinux case a lot of those actions will hit SELinux denials.
More information about the fedora-devel-list
mailing list