[CentOS] bind chroot, bind mounts and selinux

Thu Sep 10 03:02:02 UTC 2015
Robert Moskowitz <rgm at htt-consult.com>

I went through the chroot/selinux review when Centos6 came out.  I went 
with selinux and no chroot.

I don't have too much of an issue with systemd; I am learning it as I go.

I am putting up a Samba4 AD with Bind-DLZ backend.  The Samba wiki 
explicitly calls out no chroot and kind of explains why.

so I come out on the selinux side.

On 09/09/2015 09:09 PM, Tom Robinson wrote:
> Hi All,
> I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's
> opinions on chrooting vs selinux as a way of securing bind.
> The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets
> up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy
> giving:
> /var/named/chroot/var/named/chroot/var/named
> which seems totally unnecessary.
> I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be
> loosing anything in terms of security?
> Also, would I bother with chrooting at all if selinux can secure the environment for me?
> My own opinions aside what do others think and has anyone had experience with this?
> Kind regards,
> Tom
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos