Am 31.01.2018 um 16:16 schrieb Daniel Stirnimann:
it is completly irrelevant because when you switch SELinux to
"permissive" in case you need to debug something it's gone and hence
layered-security is always the way to go
I don't understand this negative perception of SELinux. Why do you think
debugging differs from any other applied hardening e.g. linux capabilities?
there was none
From my experience and we had SELinux in enforcing mode on our DNS
servers with BIND for over a year. SELinux provides very clear error
reporting in case anything should go wrong. You can easily modify the
policy or in a worst case, you can set specific services to permissive
mode and leave the rest in enforcing mode
that don't change the fact that from that moment on all protections for
*that* service are gone while with layered security and
systemd-hardening are still in place
it's terrible helpful to have hardening on every stack which provides it
and be it only because you made a mistake in a SElinux polciy opened
something which was not by intention
the same for network-layers - just because i have a datacenter firewall
in place i don't disable iptables/nftables on the machines itself, just
because i bound the only relevant service to a specfic NIC i don't turn
off the firewall because when years later someone changes the binding
without knowing the outcome he exposes the service to the internet while
with the firewall in place it's still as intended
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
