RSBAC Grsec Selinux ProPolice and Pax

Archaic archaic at
Sun Jan 18 06:19:29 PST 2004

On Sun, Jan 18, 2004 at 08:35:44AM -0500, Robert Connolly wrote:
> Of course not. I just see how selinux would justify using redhat as a base 
> system. I have no intention of adding any unnessesary features.

Whew! I was getting worried. ;)

> If you have several daemons in the same chroot you can't control letting 2 
> daemons/users share a file without letting the others.

Why should someone have more than one daemon in a chroot? That rather
defeats the purpose of allowing the daemon to see only what it needs.
For my tastes, I use /opt/proftpd, /opt/httpd, etc. /opt, of course, is
optional. Ryan likes to use /usr/local/<daemon>, so where really isn't a
concern as long as it's writable. But I'm even more paranoid and give
each daemon it's own partition mounted under /opt. Some people recommend
/var, but I don't like that for the fact that someone may be able to DoS
you by filling up /var. If they fill up /opt (assuming it's on a
different fs, then no big deal).

> Like how propolice aborts libsafe's example exploits, libsafe may be
> obsolete, but it can be used anyway. On an selinux system, chroot may
> be obsolete, but it can be used anyway.

Not obsolete. Maybe not as likely to be needed...


The Constitution is not neutral. It was designed to take the government
off the backs of the people.

- Justice William O. Douglas

More information about the hlfs-dev mailing list