But many people disable Selinux, so it is always better to have a secure alternatives - Selinux is better IMHO and it is possible<br>to do "chroot" better with selinux (<a href="http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html">http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html</a>)<br>
<br><br><div class="gmail_quote">On Mon, Nov 10, 2008 at 1:26 PM, Adam Tkac <span dir="ltr"><<a href="mailto:atkac@redhat.com">atkac@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c">On Fri, Nov 07, 2008 at 06:52:10PM -0500, Paul Wouters wrote:<br>
> On Fri, 7 Nov 2008, David Woodhouse wrote:<br>
><br>
>> On Fri, 2008-11-07 at 13:09 +0100, Adam Tkac wrote:<br>
>>> bind-chroot-admin script should sync BIND configuration files to<br>
>>> chroot() directory. It was written with good intention but it has<br>
>>> never worked correctly in all situations. There is long history with<br>
>>> many broken configurations and urgent severity bugs.<br>
>>><br>
>>> I'm going to remove this script from Fedora 11 (it is part of Fedora/RHEL<br>
>>> only, no other distro uses it). After removal, "standard" chroot<br>
>>> structure will be created when you install bind-chroot package. It<br>
>>> will contain all needed files for running named in chroot but admin<br>
>>> shall move needed configuration files to chroot manually. Do you have<br>
>>> any comments?<br>
><br>
> I'd rather see something replace it. For unbound, another caching resolver<br>
> with chroot (which got pushed in the repository a few days ago), the<br>
> same problem is solved by copying/linking/mounting files in the<br>
> chroot via the init script.<br>
><br>
> Updating the chroot becomes important for shipping DNSSEC keys via a package.<br>
> I am putting in a review request today for a new package 'dnssec-keys'<br>
> that allows people to easily enable/disable DNSSEC and preload the proper<br>
> keys for active TLD's. Things should get easier once the root is signed.<br>
><br>
> I was about to look at bind, since the DNSSEC key format for unbound and<br>
> bind is the same, so I am using one include file that will work on both<br>
> nameservers, once they copy it into their chroot environment.<br>
><br>
> Have a look at the unbound method, and see if that is something that could<br>
> also work for named?<br>
><br>
> Paul<br>
<br>
</div></div>I looked into unbound init script (if I understand correctly it<br>
deals with chroot symlinks). Unbound uses only small amount of<br>
configuration files so it is quite easy to create chroot.<br>
<br>
If you look into bind-chroot-admin it tries deal with all possible<br>
situations and it sometimes doesn't work and when something fails<br>
it generally breaks configuration which is, of course, pretty bad.<br>
<br>
BIND has good SELinux policy so for "mainstream" configurations chroot<br>
is simply not needed.<br>
<br>
Chroot is used by traditional admins whose create it manually or when<br>
you need really secure environment (chroot+SELinux). Both cases<br>
doesn't need bind-chroot-admin because in the first case user doesn't use<br>
it and in the second case configuration is maintained in some kind of<br>
VSC (CVS, SVN etc...) and bind-chroot-admin makes only problems.<br>
<div class="Ih2E3d"><br>
Adam<br>
<br>
--<br>
Adam Tkac, Red Hat, Inc.<br>
<br>
--<br>
</div><div><div></div><div class="Wj3C7c">fedora-devel-list mailing list<br>
<a href="mailto:fedora-devel-list@redhat.com">fedora-devel-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/fedora-devel-list" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-devel-list</a><br>
</div></div></blockquote></div><br>