[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Apparmor and chroot
Should we get rid of the old chroot jails and trust to apparmor?
They are both basically trying to avoid
unforseen and unwanted access to the filesystem.
eg: The default profile for postfix fails because
it doesn't bestow "chroot" privileges to smtpd.
Once bestowed, there are problems because
the chrooted daemon wants to get to /default/some-file
and doesn't know it's actually talking about /var/spool/postfix/default
Neither does apparmor 8^(
Is the best practise way to tell postfix NOT to chroot?
There are ways of breaking out of chroot jails aren't there?
Has apparmor been coded to secure the known techniques?
It's more versatile, is it more secure?
How much of a performance hit?
Thanks for any discussion of this,
PS: RTFM replies welcome; as long as they give links to the FM.
Michael James michael.james@xxxxxxxx
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166
No matter how much you pay for software,
you always get less than you hoped.
Unless you pay nothing, then you get more.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here