Enable systemd hardening options for named
Reindl Harald
h.reindl at thelounge.net
Wed Jan 31 15:23:09 UTC 2018
Am 31.01.2018 um 16:16 schrieb Daniel Stirnimann:
>> it is completly irrelevant because when you switch SELinux to
>> "permissive" in case you need to debug something it's gone and hence
>> layered-security is always the way to go
>
> I don't understand this negative perception of SELinux. Why do you think
> debugging differs from any other applied hardening e.g. linux capabilities?
there was none
> From my experience and we had SELinux in enforcing mode on our DNS
> servers with BIND for over a year. SELinux provides very clear error
> reporting in case anything should go wrong. You can easily modify the
> policy or in a worst case, you can set specific services to permissive
> mode and leave the rest in enforcing mode
that don't change the fact that from that moment on all protections for
*that* service are gone while with layered security and
systemd-hardening are still in place
it's terrible helpful to have hardening on every stack which provides it
and be it only because you made a mistake in a SElinux polciy opened
something which was not by intention
the same for network-layers - just because i have a datacenter firewall
in place i don't disable iptables/nftables on the machines itself, just
because i bound the only relevant service to a specfic NIC i don't turn
off the firewall because when years later someone changes the binding
without knowing the outcome he exposes the service to the internet while
with the firewall in place it's still as intended
More information about the bind-users
mailing list