> it is completly irrelevant because when you switch SELinux to > "permissive" in case you need to debug something it's gone and hence > layered-security is always the way to go
I don't understand this negative perception of SELinux. Why do you think debugging differs from any other applied hardening e.g. linux capabilities? >From my experience and we had SELinux in enforcing mode on our DNS servers with BIND for over a year. SELinux provides very clear error reporting in case anything should go wrong. You can easily modify the policy or in a worst case, you can set specific services to permissive mode and leave the rest in enforcing mode. Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
