On Thu, 10 Sep 2015 11:52:31 AM Trent W. Buck wrote: > Tom Robinson writes: > > The bind-chroot on CentOS 7 also comes with a script > > (/usr/libexec/setup-named-chroot.sh) that sets up the much maligned > > systemd and, through bind mounts, creates and extra level of chroot > > hierarchy giving: > > > > /var/named/chroot/var/named/chroot/var/named > > which seems totally unnecessary. > > Obligatory knee-jerk response: > Have you considered nsd3 + unbound instead?
Last time I tried NSD it required a utility from the BIND source tree to copy a zone to a secondary server. It was also annoying to setup. Has it improved in that regard? Apart from being annoying it seemed like a reasonable option. A minimal code base designed to be secure. > > I'm migrating a CentOS 6 bind instance (chrooted) to a CentOS 7 box > > and am curious of people's opinions on chrooting vs selinux as a way > > of securing bind. > > chroot isn't a security mechanism. BIND drops privs after it starts, so if it's attacked (and if it dropped privs properly) then it won't be able to do any damage that a chroot would stop (IE it can't read home directories etc). If it doesn't drop privs properly (a problem some daemons have had in the past) then it can escape from a chroot. I believe that there is no benefit in allowing a chroot when using SE Linux. If a daemon is to chroot then it needs to be granted the chroot capability and often other access that it wouldn't have if it wasn't chrooted (such as the ability to copy shared objects to the chroot). SE Linux access controls are much more restrictive than a chroot. The access they grant to the filesystem is minimal, a non-chrooted daemon will be able to read lots of files that are part of the OS distribution but that's not a security problem. http://doc.coker.com.au/papers/polyinstantiation-directories-in-se-linux/ If you really want to have restrictions on BIND in addition to SE Linux then the only example I can think of is etc_t which is used for lots of things under /etc. So if you had a different version of /etc for BIND that might give you a benefit. The above URL has a paper I wrote about Polyinstantiated Directories. You could create a special version of /etc for BIND that only has the bare minimum that it needs. But I don't think it's worth the effort. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
