On Wed, Jul 29, 2009 at 6:47 AM, Alon Bar-Lev<alon.bar...@gmail.com> wrote:
> Well,
> I do not understand you guys.
>
> If you think SELinux is so great, why do you need chroot?
> It is like you put some money in safe, and then put the safe into
> another safe, it never ends... Why only two safe, let's put another
> safe...
> I know that this is the approach many of security advisors use, but I
> never could have found the logic.
> If you want to keep your money safe use a single safe and select the
> strongest one.

SELinux+chroot is indeed redundant, but as they do not conflict, why
not use them both?
To re-use your safe example: in your bank your belongings could be
protected by a smart safe, security guards and/or policemen... However
redundant that might be, I feel more comfortable knowing that more
means are used to protect my belongings :-)

> The daemon validates what SELinux or any other security
> product cannot validate: Network configuration changes. All done
> within a valid and separate context.

Indeed, indeed :-)

> As I wrote earlier, most of OpenVPN configurations need to execute
> iproute also during session. For example, if you like to connect two
> sites, your super SELinux secured solution will work only at one site.

Maybe so... I did not pretend SELinux was the ultimate solution to
every problem, and I straightforwardly recognize not knowing all
OpenVPN use cases. My will is only to offer more possibilities so that
everybody can find a combination that suits their needs: not everybody
uses the "user" or "chroot" option, probably even less people will use
the "setcon" option and who knows, maybe somebody will submit support
for doing the same with alternatives to SELinux (such as GRSecurity
and RSBAC).

> No need to discuss this further. I get your point.

Ok :-)

-- 
Sebastien Raveau

Reply via email to