Enable systemd hardening options for named
daniel.stirnimann at switch.ch
Wed Jan 31 15:16:39 UTC 2018
> it is completly irrelevant because when you switch SELinux to
> "permissive" in case you need to debug something it's gone and hence
> layered-security is always the way to go
I don't understand this negative perception of SELinux. Why do you think
debugging differs from any other applied hardening e.g. linux capabilities?
>From my experience and we had SELinux in enforcing mode on our DNS
servers with BIND for over a year. SELinux provides very clear error
reporting in case anything should go wrong. You can easily modify the
policy or in a worst case, you can set specific services to permissive
mode and leave the rest in enforcing mode.
More information about the bind-users