On 04/13/2017 01:05 AM, Nicolas Kovacs wrote:> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time to get started. > > I understand there's a wealth of information about SELinux. Any > recommendations for a newbie-friendly primer? I don't mind to RTFM, even > extensive documentation, but I prefer stuff that's well-written. > > Cheers, > > Niki >I don't use SELinux because it gets in my way far more than it every actually protects me from anything. I'm sure there are systems where it absolutely is necessary, but I don't like to have stuff fail because I used mv instead of cp to install a certificate, for example. For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server)
On 04/13/2017 04:23 AM, Alice Wonder wrote:> On 04/13/2017 01:05 AM, Nicolas Kovacs wrote: >> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >>> But make sure to have SELinux enabled if you do not run it chrooted. >>> >>> I have mine running that way. >> >> I bluntly admit not using SELinux, because until now, I mainly used more >> bone-headed systems that didn't implement it. Maybe this is the right >> time to get started. >> >> I understand there's a wealth of information about SELinux. Any >> recommendations for a newbie-friendly primer? I don't mind to RTFM, even >> extensive documentation, but I prefer stuff that's well-written. >> >> Cheers, >> >> Niki >> > > I don't use SELinux because it gets in my way far more than it every > actually protects me from anything. > > I'm sure there are systems where it absolutely is necessary, but I > don't like to have stuff fail because I used mv instead of cp to > install a certificate, for example.I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not get to sit down with him on this at IETF. So I don't know what certs I will need as yet. For my mailserver, I am using self-signed, and see my Apache setup, towards the end, how I create a set of certs: http://medon.htt-consult.com/Centos7-mailserver.html#Setting%20up%20Apache I had some help on this from the OpenSSL list.> > For authoritative DNS I also do not use chroot but authoritative DNS > is all those servers do, and I use zones signed externally via DNSSEC > (no private keys on the server)Something to consider, but I would do it on one of my internal systems. Not a third party; why should I trust them? Unless they are providing a full DNS PKI service.
On 04/13/2017 03:15 AM, Robert Moskowitz wrote:> > > On 04/13/2017 04:23 AM, Alice Wonder wrote: >> On 04/13/2017 01:05 AM, Nicolas Kovacs wrote: >>> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >>>> But make sure to have SELinux enabled if you do not run it chrooted. >>>> >>>> I have mine running that way. >>> >>> I bluntly admit not using SELinux, because until now, I mainly used more >>> bone-headed systems that didn't implement it. Maybe this is the right >>> time to get started. >>> >>> I understand there's a wealth of information about SELinux. Any >>> recommendations for a newbie-friendly primer? I don't mind to RTFM, even >>> extensive documentation, but I prefer stuff that's well-written. >>> >>> Cheers, >>> >>> Niki >>> >> >> I don't use SELinux because it gets in my way far more than it every >> actually protects me from anything. >> >> I'm sure there are systems where it absolutely is necessary, but I >> don't like to have stuff fail because I used mv instead of cp to >> install a certificate, for example. > > I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not > get to sit down with him on this at IETF. So I don't know what certs I > will need as yet. For my mailserver, I am using self-signed, and see my > Apache setup, towards the end, how I create a set of certs: > > http://medon.htt-consult.com/Centos7-mailserver.html#Setting%20up%20Apache > > I had some help on this from the OpenSSL list. > >> >> For authoritative DNS I also do not use chroot but authoritative DNS >> is all those servers do, and I use zones signed externally via DNSSEC >> (no private keys on the server) > > Something to consider, but I would do it on one of my internal systems. > Not a third party; why should I trust them? Unless they are providing a > full DNS PKI service. > >I meant DNSSEC signing is done externally to the authoritative DNS. I do the signing myself. Point being if someone hacked my authoritative DNS server, they could not alter my zone files in a way DNSSEC enforcing resolvers would accept because the signing keys are not there.