End of bind-chroot-admin script
Paul Wouters
paul at xelerance.com
Mon Nov 10 17:03:35 UTC 2008
On Mon, 10 Nov 2008, yersinia wrote:
> But many people disable Selinux, so it is always better to have a secure
> alternatives - Selinux is better IMHO and it is possible
> to do "chroot" better with selinux (
> http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
> )
The question is, is it worth the hassle of maintaining the chroot. This is
important for both named and unbound as they will be able in the near
future to include dnssec keys, which will be provided by a different
package. So one has to update the chroot when a "third party" package
updates itself.
I'm currently doing this with the unbound nameserver, but it is quite
ugly.
Paul
More information about the devel
mailing list