RSBAC Grsec Selinux ProPolice and Pax

Archaic archaic at indy.rr.com
Sun Jan 18 06:19:29 PST 2004


On Sun, Jan 18, 2004 at 08:35:44AM -0500, Robert Connolly wrote:
> 
> Of course not. I just see how selinux would justify using redhat as a base 
> system. I have no intention of adding any unnessesary features.

Whew! I was getting worried. ;)

> If you have several daemons in the same chroot you can't control letting 2 
> daemons/users share a file without letting the others.

Why should someone have more than one daemon in a chroot? That rather
defeats the purpose of allowing the daemon to see only what it needs.
For my tastes, I use /opt/proftpd, /opt/httpd, etc. /opt, of course, is
optional. Ryan likes to use /usr/local/<daemon>, so where really isn't a
concern as long as it's writable. But I'm even more paranoid and give
each daemon it's own partition mounted under /opt. Some people recommend
/var, but I don't like that for the fact that someone may be able to DoS
you by filling up /var. If they fill up /opt (assuming it's on a
different fs, then no big deal).

> Like how propolice aborts libsafe's example exploits, libsafe may be
> obsolete, but it can be used anyway. On an selinux system, chroot may
> be obsolete, but it can be used anyway.

Not obsolete. Maybe not as likely to be needed...

-- 
Archaic

The Constitution is not neutral. It was designed to take the government
off the backs of the people.

- Justice William O. Douglas




More information about the hlfs-dev mailing list