On 04/13/2017 01:05 AM, Nicolas Kovacs wrote: > Le 13/04/2017 à 04:27, Robert Moskowitz a écrit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time to get started. > > I understand there's a wealth of information about SELinux. Any > recommendations for a newbie-friendly primer? I don't mind to RTFM, even > extensive documentation, but I prefer stuff that's well-written. > > Cheers, > > Niki > I don't use SELinux because it gets in my way far more than it every actually protects me from anything. I'm sure there are systems where it absolutely is necessary, but I don't like to have stuff fail because I used mv instead of cp to install a certificate, for example. For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server)