Enable systemd hardening options for named

Reindl Harald h.reindl at thelounge.net
Wed Jan 31 15:23:09 UTC 2018

Am 31.01.2018 um 16:16 schrieb Daniel Stirnimann:
>> it is completly irrelevant because when you switch SELinux to
>> "permissive" in case you need to debug something it's gone and hence
>> layered-security is always the way to go
> I don't understand this negative perception of SELinux. Why do you think
> debugging differs from any other applied hardening e.g. linux capabilities?

there was none

> From my experience and we had SELinux in enforcing mode on our DNS
> servers with BIND for over a year. SELinux provides very clear error
> reporting in case anything should go wrong. You can easily modify the
> policy or in a worst case, you can set specific services to permissive
> mode and leave the rest in enforcing mode

that don't change the fact that from that moment on all protections for 
*that* service are gone while with layered security and 
systemd-hardening are still in place

it's terrible helpful to have hardening on every stack which provides it 
and be it only because you made a mistake in a SElinux polciy opened 
something which was not by intention

the same for network-layers - just because i have a datacenter firewall 
in place i don't disable iptables/nftables on the machines itself, just 
because i bound the only relevant service to a specfic NIC i don't turn 
off the firewall because when years later someone changes the binding 
without knowing the outcome he exposes the service to the internet while 
with the firewall in place it's still as intended

More information about the bind-users mailing list