named and chroot? Was running it for 4 years in a jail.
Regards Peter On Fri, Sep 11, 2015 at 10:36 AM, Trent W. Buck <[email protected]> wrote: > Russell Coker writes: > >> On Thu, 10 Sep 2015 11:52:31 AM Trent W. Buck wrote: >>> chroot isn't a security mechanism. >> >> I believe that there is no benefit in allowing a chroot when using SE >> Linux. If a daemon is to chroot then it needs to be granted the >> chroot capability [...] > > Not strictly true. > > systemd.exec(5) can chroot before spawning the daemon, > the same way it can seteuid before spawning the daemon. > > Whether this would ACTUALLY be sufficient is... debatable. :-) > > For named or nsd, I think it would actually make more sense to use the > Private*= and *Directories= options to set up a new VFS namespace. > > IOW rather than named seeing /var/named/chroot as its root, > it would see the regular / but with most subdirs hidden. > > Binding to the low port would be solved either using socket activation > (requires patched daemon) or by setpcap CAP_NET_BIND_SERVICE. > > I'm not sure whether its worth while to do *both* selinux and that kind > of security ricing. Probably not. > > _______________________________________________ > luv-main mailing list > [email protected] > http://lists.luv.asn.au/listinfo/luv-main _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
