I went through the chroot/selinux review when Centos6 came out. I went with selinux and no chroot. I don't have too much of an issue with systemd; I am learning it as I go. I am putting up a Samba4 AD with Bind-DLZ backend. The Samba wiki explicitly calls out no chroot and kind of explains why. so I come out on the selinux side. On 09/09/2015 09:09 PM, Tom Robinson wrote: > Hi All, > > I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's > opinions on chrooting vs selinux as a way of securing bind. > > The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets > up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy > giving: > > /var/named/chroot/var/named/chroot/var/named > > which seems totally unnecessary. > > I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be > loosing anything in terms of security? > > Also, would I bother with chrooting at all if selinux can secure the environment for me? > > My own opinions aside what do others think and has anyone had experience with this? > > Kind regards, > Tom > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos