[CentOS] bind vs. bind-chroot

Thu Apr 13 16:11:54 UTC 2017
Leon Fauster <leonfauster at googlemail.com>

> Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev at kicp.uchicago.edu>:
> 
> 
> On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote:
>> Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :
>>> But make sure to have SELinux enabled if you do not run it chrooted.
>>> 
>>> I have mine running that way.
>> 
>> I bluntly admit not using SELinux, because until now, I mainly used more
>> bone-headed systems that didn't implement it. Maybe this is the right
>> time to get started.
> 
> Another alternative with at least same level of security, though not
> giving me any trouble I hear people sometimes have with SELinux is to run
> services in separate jails (or other containers) - with base system
> mounted inside jail read-only (I use FreeBSD jails - apologies for
> mentioning, but Linux experts here can suggest fair Linux equivalent).


bind-chroot is a subpackage and quite straight forward (yum install bind-chroot). 
No need to handle jails and there environment updates when the base system 
gets updated (we use rpms trigger scripts for that).

--
LF