> Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev at kicp.uchicago.edu>: > > > On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote: >> Le 13/04/2017 à 04:27, Robert Moskowitz a écrit : >>> But make sure to have SELinux enabled if you do not run it chrooted. >>> >>> I have mine running that way. >> >> I bluntly admit not using SELinux, because until now, I mainly used more >> bone-headed systems that didn't implement it. Maybe this is the right >> time to get started. > > Another alternative with at least same level of security, though not > giving me any trouble I hear people sometimes have with SELinux is to run > services in separate jails (or other containers) - with base system > mounted inside jail read-only (I use FreeBSD jails - apologies for > mentioning, but Linux experts here can suggest fair Linux equivalent). bind-chroot is a subpackage and quite straight forward (yum install bind-chroot). No need to handle jails and there environment updates when the base system gets updated (we use rpms trigger scripts for that). -- LF