On Wed, Jul 29, 2009 at 6:47 AM, Alon Bar-Lev<alon.bar...@gmail.com> wrote: > Well, > I do not understand you guys. > > If you think SELinux is so great, why do you need chroot? > It is like you put some money in safe, and then put the safe into > another safe, it never ends... Why only two safe, let's put another > safe... > I know that this is the approach many of security advisors use, but I > never could have found the logic. > If you want to keep your money safe use a single safe and select the > strongest one.
SELinux+chroot is indeed redundant, but as they do not conflict, why not use them both? To re-use your safe example: in your bank your belongings could be protected by a smart safe, security guards and/or policemen... However redundant that might be, I feel more comfortable knowing that more means are used to protect my belongings :-) > The daemon validates what SELinux or any other security > product cannot validate: Network configuration changes. All done > within a valid and separate context. Indeed, indeed :-) > As I wrote earlier, most of OpenVPN configurations need to execute > iproute also during session. For example, if you like to connect two > sites, your super SELinux secured solution will work only at one site. Maybe so... I did not pretend SELinux was the ultimate solution to every problem, and I straightforwardly recognize not knowing all OpenVPN use cases. My will is only to offer more possibilities so that everybody can find a combination that suits their needs: not everybody uses the "user" or "chroot" option, probably even less people will use the "setcon" option and who knows, maybe somebody will submit support for doing the same with alternatives to SELinux (such as GRSecurity and RSBAC). > No need to discuss this further. I get your point. Ok :-) -- Sebastien Raveau
