[CentOS] bind vs. bind-chroot

Thu Apr 13 16:57:47 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>

On 04/13/2017 12:11 PM, Leon Fauster wrote:
>> Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev at kicp.uchicago.edu>:
>> On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote:
>>> Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :
>>>> But make sure to have SELinux enabled if you do not run it chrooted.
>>>> I have mine running that way.
>>> I bluntly admit not using SELinux, because until now, I mainly used more
>>> bone-headed systems that didn't implement it. Maybe this is the right
>>> time to get started.
>> Another alternative with at least same level of security, though not
>> giving me any trouble I hear people sometimes have with SELinux is to run
>> services in separate jails (or other containers) - with base system
>> mounted inside jail read-only (I use FreeBSD jails - apologies for
>> mentioning, but Linux experts here can suggest fair Linux equivalent).
> bind-chroot is a subpackage and quite straight forward (yum install bind-chroot).
> No need to handle jails and there environment updates when the base system
> gets updated (we use rpms trigger scripts for that).

Correct, no real need for creating something special, bind-chroot has 
been around for years and just works.  Before SELinux it was what we 
did.  My last DNS server was Redsleeve 6 that I could not get SELinux 
working, so I just ran chroot.  Now I have Centos7-arm with SELinux so 
no chroot.