Enable systemd hardening options for named

Daniel Stirnimann daniel.stirnimann at switch.ch
Wed Jan 31 15:16:39 UTC 2018

> it is completly irrelevant because when you switch SELinux to 
> "permissive" in case you need to debug something it's gone and hence 
> layered-security is always the way to go

I don't understand this negative perception of SELinux. Why do you think
debugging differs from any other applied hardening e.g. linux capabilities?

>From my experience and we had SELinux in enforcing mode on our DNS
servers with BIND for over a year. SELinux provides very clear error
reporting in case anything should go wrong. You can easily modify the
policy or in a worst case, you can set specific services to permissive
mode and leave the rest in enforcing mode.


More information about the bind-users mailing list