End of bind-chroot-admin script
yersinia
yersinia.spiros at gmail.com
Mon Nov 10 11:57:58 UTC 2008
But many people disable Selinux, so it is always better to have a secure
alternatives - Selinux is better IMHO and it is possible
to do "chroot" better with selinux (
http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
)
On Mon, Nov 10, 2008 at 1:26 PM, Adam Tkac <atkac at redhat.com> wrote:
> On Fri, Nov 07, 2008 at 06:52:10PM -0500, Paul Wouters wrote:
> > On Fri, 7 Nov 2008, David Woodhouse wrote:
> >
> >> On Fri, 2008-11-07 at 13:09 +0100, Adam Tkac wrote:
> >>> bind-chroot-admin script should sync BIND configuration files to
> >>> chroot() directory. It was written with good intention but it has
> >>> never worked correctly in all situations. There is long history with
> >>> many broken configurations and urgent severity bugs.
> >>>
> >>> I'm going to remove this script from Fedora 11 (it is part of
> Fedora/RHEL
> >>> only, no other distro uses it). After removal, "standard" chroot
> >>> structure will be created when you install bind-chroot package. It
> >>> will contain all needed files for running named in chroot but admin
> >>> shall move needed configuration files to chroot manually. Do you have
> >>> any comments?
> >
> > I'd rather see something replace it. For unbound, another caching
> resolver
> > with chroot (which got pushed in the repository a few days ago), the
> > same problem is solved by copying/linking/mounting files in the
> > chroot via the init script.
> >
> > Updating the chroot becomes important for shipping DNSSEC keys via a
> package.
> > I am putting in a review request today for a new package 'dnssec-keys'
> > that allows people to easily enable/disable DNSSEC and preload the proper
> > keys for active TLD's. Things should get easier once the root is signed.
> >
> > I was about to look at bind, since the DNSSEC key format for unbound and
> > bind is the same, so I am using one include file that will work on both
> > nameservers, once they copy it into their chroot environment.
> >
> > Have a look at the unbound method, and see if that is something that
> could
> > also work for named?
> >
> > Paul
>
> I looked into unbound init script (if I understand correctly it
> deals with chroot symlinks). Unbound uses only small amount of
> configuration files so it is quite easy to create chroot.
>
> If you look into bind-chroot-admin it tries deal with all possible
> situations and it sometimes doesn't work and when something fails
> it generally breaks configuration which is, of course, pretty bad.
>
> BIND has good SELinux policy so for "mainstream" configurations chroot
> is simply not needed.
>
> Chroot is used by traditional admins whose create it manually or when
> you need really secure environment (chroot+SELinux). Both cases
> doesn't need bind-chroot-admin because in the first case user doesn't use
> it and in the second case configuration is maintained in some kind of
> VSC (CVS, SVN etc...) and bind-chroot-admin makes only problems.
>
> Adam
>
> --
> Adam Tkac, Red Hat, Inc.
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/devel/attachments/20081110/4daa9b83/attachment.html
More information about the devel
mailing list