Linux – Does it make sense to use SELinux inside a chroot jail

A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don't run as root, as root users can break out of the jail very easily.

The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment. Since it can't actually reference paths outside the modified root, it can't perform operations (read/write etc.) maliciously on those locations.

On Linux, using a bind mounts is a great way to populate the chroot tree. Using that, you can pull in folders like /lib and /usr/lib while not pulling in /usr, for example. Just bind the directory trees you want to directories you create in the jail directory.

AppArmour is usually thought to be simpler than SELinux. SELinux is quite complex and may be used even in military applications while AppArmour tends to be simpler. SELinux operates on i-node level (i.e. restrictions are applied in the same way as ACL or UNIX permissions - on the other hand ) while AppArmour apply at path level (i.e. you specify the access based on path so when path changes it may not apply). AppArmour can also protect subproccesses (like mod_php only) but I am somehow skeptical about the real use of it. AppArmour seems to find its way into mainline kernel (it is in -mm IIRC).

I don't know much about SMACK but it looks like simplified SELinux from description. There is also RSBAC if you would like to look at it.

chroot has a limited scope of use and I don't think it would be much of use in a desktop environment (it can be used to separate daemons from access of whole system - like DNS daemon).

For sure, it is worth to apply 'generic' hardening such as PaX, -fstack-protector etc. Chroot you can use when your distro supports so does AppArmour/SELinux. I guess SELinux is better suited for high security areas (it has much better control over system) and AppArmour is better for simple hardening.

In general, I wouldn't bother to harden generic desktop very much, except switching off unused services, update regularly, etc. unless you work in highly-secured area. If you want to secure anyway, I would use what your distro is supporting. Many of them to be effective needs the application support (for e.x. compiling tools to support attributes, written rules) so I would advise to use what your distro is supporting.