[CentOS] bind vs. bind-chroot
Leon Fauster
leonfauster at googlemail.com
Thu Apr 13 16:11:54 UTC 2017
> Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev at kicp.uchicago.edu>:
>
>
> On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote:
>> Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :
>>> But make sure to have SELinux enabled if you do not run it chrooted.
>>>
>>> I have mine running that way.
>>
>> I bluntly admit not using SELinux, because until now, I mainly used more
>> bone-headed systems that didn't implement it. Maybe this is the right
>> time to get started.
>
> Another alternative with at least same level of security, though not
> giving me any trouble I hear people sometimes have with SELinux is to run
> services in separate jails (or other containers) - with base system
> mounted inside jail read-only (I use FreeBSD jails - apologies for
> mentioning, but Linux experts here can suggest fair Linux equivalent).
bind-chroot is a subpackage and quite straight forward (yum install bind-chroot).
No need to handle jails and there environment updates when the base system
gets updated (we use rpms trigger scripts for that).
--
LF
More information about the CentOS
mailing list