On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote:> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time to get started.Another alternative with at least same level of security, though not giving me any trouble I hear people sometimes have with SELinux is to run services in separate jails (or other containers) - with base system mounted inside jail read-only (I use FreeBSD jails - apologies for mentioning, but Linux experts here can suggest fair Linux equivalent). Valeri> > I understand there's a wealth of information about SELinux. Any > recommendations for a newbie-friendly primer? I don't mind to RTFM, even > extensive documentation, but I prefer stuff that's well-written. > > Cheers, > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'?glise - 30730 Montpezat > Web : http://www.microlinux.fr > Mail : info at microlinux.fr > T?l. : 04 66 63 10 32 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
> Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev at kicp.uchicago.edu>: > > > On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote: >> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >>> But make sure to have SELinux enabled if you do not run it chrooted. >>> >>> I have mine running that way. >> >> I bluntly admit not using SELinux, because until now, I mainly used more >> bone-headed systems that didn't implement it. Maybe this is the right >> time to get started. > > Another alternative with at least same level of security, though not > giving me any trouble I hear people sometimes have with SELinux is to run > services in separate jails (or other containers) - with base system > mounted inside jail read-only (I use FreeBSD jails - apologies for > mentioning, but Linux experts here can suggest fair Linux equivalent).bind-chroot is a subpackage and quite straight forward (yum install bind-chroot). No need to handle jails and there environment updates when the base system gets updated (we use rpms trigger scripts for that). -- LF
On 04/13/2017 12:11 PM, Leon Fauster wrote:>> Am 13.04.2017 um 17:40 schrieb Valeri Galtsev <galtsev at kicp.uchicago.edu>: >> >> >> On Thu, April 13, 2017 3:05 am, Nicolas Kovacs wrote: >>> Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >>>> But make sure to have SELinux enabled if you do not run it chrooted. >>>> >>>> I have mine running that way. >>> I bluntly admit not using SELinux, because until now, I mainly used more >>> bone-headed systems that didn't implement it. Maybe this is the right >>> time to get started. >> Another alternative with at least same level of security, though not >> giving me any trouble I hear people sometimes have with SELinux is to run >> services in separate jails (or other containers) - with base system >> mounted inside jail read-only (I use FreeBSD jails - apologies for >> mentioning, but Linux experts here can suggest fair Linux equivalent). > > bind-chroot is a subpackage and quite straight forward (yum install bind-chroot). > No need to handle jails and there environment updates when the base system > gets updated (we use rpms trigger scripts for that).Correct, no real need for creating something special, bind-chroot has been around for years and just works. Before SELinux it was what we did. My last DNS server was Redsleeve 6 that I could not get SELinux working, so I just ran chroot. Now I have Centos7-arm with SELinux so no chroot.