Hi All, I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's opinions on chrooting vs selinux as a way of securing bind. The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy giving: /var/named/chroot/var/named/chroot/var/named which seems totally unnecessary. I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be loosing anything in terms of security? Also, would I bother with chrooting at all if selinux can secure the environment for me? My own opinions aside what do others think and has anyone had experience with this? Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robinson at motec.com.au -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150910/17efb1da/attachment.sig>
I went through the chroot/selinux review when Centos6 came out. I went with selinux and no chroot. I don't have too much of an issue with systemd; I am learning it as I go. I am putting up a Samba4 AD with Bind-DLZ backend. The Samba wiki explicitly calls out no chroot and kind of explains why. so I come out on the selinux side. On 09/09/2015 09:09 PM, Tom Robinson wrote:> Hi All, > > I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's > opinions on chrooting vs selinux as a way of securing bind. > > The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets > up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy > giving: > > /var/named/chroot/var/named/chroot/var/named > > which seems totally unnecessary. > > I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be > loosing anything in terms of security? > > Also, would I bother with chrooting at all if selinux can secure the environment for me? > > My own opinions aside what do others think and has anyone had experience with this? > > Kind regards, > Tom > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Hi Robert, Thanks for your response. On 10/09/15 13:02, Robert Moskowitz wrote:> I went through the chroot/selinux review when Centos6 came out. I went with selinux and no chroot. > > I don't have too much of an issue with systemd; I am learning it as I go.I must admit that I'm not that perturbed by systemd either. Reminds a little of Solaris SMF.> > I am putting up a Samba4 AD with Bind-DLZ backend. The Samba wiki explicitly calls out no chroot > and kind of explains why.Yes, I have already set this up on a CentOS 6 instance and have that working. But that is on a private network. The subject of this post relates to a public facing name server so it's a little more exposed. Some people would argue that chroot isn't a security mechanism.> > so I come out on the selinux side.My feeling is that selinux should be enough security. Anyone else care to comment?> > On 09/09/2015 09:09 PM, Tom Robinson wrote: >> Hi All, >> >> I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box and am curious of people's >> opinions on chrooting vs selinux as a way of securing bind. >> >> The bind-chroot on CentOS 7 also comes with a script (/usr/libexec/setup-named-chroot.sh) that sets >> up the much maligned systemd and, through bind mounts, creates and extra level of chroot hierarchy >> giving: >> >> /var/named/chroot/var/named/chroot/var/named >> >> which seems totally unnecessary. >> >> I'm sure that bind-chroot would be happy enough running without the bind mounts but would I be >> loosing anything in terms of security? >> >> Also, would I bother with chrooting at all if selinux can secure the environment for me? >> >> My own opinions aside what do others think and has anyone had experience with this? >> >> Kind regards, >> Tom >> >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150910/3f5fe5e4/attachment-0001.sig>