[CentOS] bind chroot, bind mounts and selinux

Thu Sep 10 04:39:32 UTC 2015
Tom Robinson <tom.robinson at motec.com.au>

Hi Robert,

Thanks for your response.

On 10/09/15 13:02, Robert Moskowitz wrote:
> I went through the chroot/selinux review when Centos6 came out.  I went with selinux and no chroot.
>
> I don't have too much of an issue with systemd; I am learning it as I go.
I must admit that I'm not that perturbed by systemd either. Reminds a little of Solaris SMF.

>
> I am putting up a Samba4 AD with Bind-DLZ backend.  The Samba wiki explicitly calls out no chroot
> and kind of explains why.
Yes, I have already set this up on a CentOS 6 instance and have that working. But that is on a
private network. The subject of this post relates to a public facing name server so it's a little
more exposed.

Some people would argue that chroot isn't a security mechanism.

>
> so I come out on the selinux side.

My feeling is that selinux should be enough security.

Anyone else care to comment?


>
> On 09/09/2015 09:09 PM, Tom Robinson wrote:
>> Hi All,
>>
>> I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's
>> opinions on chrooting vs selinux as a way of securing bind.
>>
>> The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets
>> up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy
>> giving:
>>
>> /var/named/chroot/var/named/chroot/var/named
>>
>> which seems totally unnecessary.
>>
>> I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be
>> loosing anything in terms of security?
>>
>> Also, would I bother with chrooting at all if selinux can secure the environment for me?
>>
>> My own opinions aside what do others think and has anyone had experience with this?
>>
>> Kind regards,
>> Tom
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150910/3f5fe5e4/attachment-0005.sig>