[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: End of bind-chroot-admin script



On Mon, 10 Nov 2008, yersinia wrote:

> But many people disable Selinux, so it is always better to have a secure
> alternatives - Selinux is better IMHO and it is possible
> to do "chroot" better with selinux (
> http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
> )

The question is, is it worth the hassle of maintaining the chroot. This is
important for both named and unbound as they will be able in the near
future to include dnssec keys, which will be provided by a different
package. So one has to update the chroot when a "third party" package
updates itself. 

I'm currently doing this with the unbound nameserver, but it is quite
ugly.

Paul


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]