The isolate utility
Posted Jan 5, 2010 21:18 UTC (Tue) by drag
In reply to: The isolate utility
Parent article: The isolate utility
SELinux depends on the specific configuration of the server and what you
want to do with it. You can give a generic SELinux configuration, which is
what Fedora and Redhat do.. but the downside of the trade offs are obvious.
(Most people don't care enough to learn how to use it so they just turn it
off and for people that leave it running the additional restrictions are
not really that good at enhancing security).
But for the government contracts and high-security folks that Redhat (and
friends) are targeting then SELinux is worth it since those additional
security enhancements are things they can justify the time and expense it
takes to get it done correctly for their specific needs.
All in all his post is a bit bizarre. BSD Jails is not really comparable
with SELinux except to state that they are both designed to protect the
system from buggy services. Other then that simularities end.
Does BSD Jails provide Mandatory access controls? Role based controls?
Multi level Security? No
of course not. So it's a nonsensical comparison. If he wants to complain he
can point out differences in how Jails work
versus LXC and how traditional containers for Linux (Linux-vserver/openvz)
required lots of patching and other things. Then he can go on and complain
about how Solaris is using their own container virtualization and not using
Jails and then complain about it with OS X and then with Windows.
That is something that would probably make sense here. But then it would be
pretty simple to poke holes in it.
The reality is that if you want BSD-Jail like functionality in Linux you
can have it. Easily. I've been able to get it by using 'apt-get' in Debian
for probably most of the last decade (or more). People have been using
stuff like that for web hosting
for years and years now. Of course with LXC it's now built into the kernel
and is generic enough to be used by lots of different things for different
Maybe somebody should point out the effort to get SELinux ported to
FreeBSD... Wait; TrustedBSD there you go. If
the FreeBSD-Jail was the all-singing and all-dancing solution to everything
then why would anybody care to use anything else?
And, from a security stand point, Chroot is very bad. The worst thing about
it is that administrators/developers end up trusting it to do stuff it
never was intended to do.. like securing your BIND server and stuff like
that. It can be done, but it's actually really difficult to do correctly
since it is so fragile.
to post comments)