1 |
On Friday 18 July 2003 07:54, Brandon Hale wrote: |
2 |
|
3 |
> I received a similar |
4 |
> argument concerning SE Linux, whose superior security model negates the |
5 |
> usefulness of chroot'ing a service. However, SE Linux is currently |
6 |
> difficult to implement effectively and not a feasible choice for the |
7 |
> average sysadmin. |
8 |
|
9 |
I have recently adopted systrace as a "better chroot". I find it is easier to |
10 |
set up a new service under systrace than both chroot and selinux. Unlike |
11 |
chroot, it is easy to disable systrace briefly if you suspect the security |
12 |
hardening may be causing a problem. |
13 |
|
14 |
Another advantage is that systrace is available to non-root users. That makes |
15 |
it easier to prototype policies. |
16 |
|
17 |
|
18 |
|
19 |
-- |
20 |
gentoo-dev@g.o mailing list |