Should we get rid of the old chroot jails and trust to apparmor? They are both basically trying to avoid unforseen and unwanted access to the filesystem. eg: The default profile for postfix fails because it doesn't bestow "chroot" privileges to smtpd. Once bestowed, there are problems because the chrooted daemon wants to get to /default/some-file and doesn't know it's actually talking about /var/spool/postfix/default Neither does apparmor 8^( Is the best practise way to tell postfix NOT to chroot? There are ways of breaking out of chroot jails aren't there? Has apparmor been coded to secure the known techniques? It's more versatile, is it more secure? How much of a performance hit? Thanks for any discussion of this, michaelj PS: RTFM replies welcome; as long as they give links to the FM. -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 No matter how much you pay for software, you always get less than you hoped. Unless you pay nothing, then you get more.