Russell Coker writes:
On Thu, 10 Sep 2015 11:52:31 AM Trent W. Buck wrote:
chroot isn't a security mechanism.
I believe that there is no benefit in allowing a chroot when using SE Linux. If a daemon is to chroot then it needs to be granted the chroot capability [...]
Not strictly true. systemd.exec(5) can chroot before spawning the daemon, the same way it can seteuid before spawning the daemon. Whether this would ACTUALLY be sufficient is... debatable. :-) For named or nsd, I think it would actually make more sense to use the Private*= and *Directories= options to set up a new VFS namespace. IOW rather than named seeing /var/named/chroot as its root, it would see the regular / but with most subdirs hidden. Binding to the low port would be solved either using socket activation (requires patched daemon) or by setpcap CAP_NET_BIND_SERVICE. I'm not sure whether its worth while to do *both* selinux and that kind of security ricing. Probably not.