Comments on: SE Linux vs chroot

By: etbe

etbe — Fri, 24 Aug 2007 10:38:50 +0000

http://www.grep.be/blog/en/retorts/russel_coker_chroots_selinux_jails

Wouter disagrees with me at the above URL. He points out that Jail is a standard feature in FreeBSD, what he doesn’t mention is that SE Linux is a fully functional and supported standard feature in Fedora, Red Hat Enterprise Linux, and CentOS. SE Linux is also a feature in Debian Etch, but it doesn’t work nearly as well as I desire (Lenny will be better).

By: Don Marti

Don Marti — Wed, 22 Aug 2007 19:34:46 +0000

chroot is kind of old school — what about SE Linux vs OpenVZ? You wouldn’t have to configure SELinux for your application, so you save some time there, but you have to configure your other machines so that if a guest gets rooted, it can’t get to anything else. Could be easier to do the OpenVZ route for a complex app, or at least if you spread the OpenVZ setup work across several apps.

By: Joe Buck

Joe Buck — Wed, 22 Aug 2007 17:05:01 +0000

While you make a good argument that SELinux is a better solution than chroot, chroot has the advantage of being portable to all Unix-like OSes. As a result, it’s not going to go away as an option.

By: Adrian Bunk

Adrian Bunk — Wed, 22 Aug 2007 16:14:35 +0000

“I believe that the correct thing to do is to cease using chroot entirely and use SE Linux instead.” might be valid for “chroot for security” use cases.

But this does not apply to some non-security use cases like having a sarge compilation environment on a sid machine.

By: University Update - Linux - SE Linux vs chroot

University Update - Linux - SE Linux vs chroot — Wed, 22 Aug 2007 09:50:37 +0000

[...] SE Linux vs chroot » This Summary is from an article posted at etbe on Wednesday, August 22, 2007 A question that [...]