Jail configuration files are located in /etc/sysconfig/jail and must be the same name (uppercase) as the name of the package, i.e. /etc/sysconfig/jail/POSTFIX
Chroot jails are initialized or shut down with the helper script: /etc/init.d/jail . This script takes 2 parameters:
<action> This is either start or stop.
<config> This is the filename of the jail definition file, without the pathname, i.e.: POSTFIX
To create the postfix jail you would issue the command: /etc/init.d/jail start POSTFIX
Take a look at the sample config file and on what you find on your Devil-Linux box in the directory /etc/sysconfig.jail.
Devil-Linux uses the program compartment (originally created by SuSE's Marc Heuse, but he doesn't maintain it anymore) to start daemons in a chroot jail. The used compartment has some more features then the standard v1.2, so check what man compartment or compartment --help on your Devil Linux Box has to tell you.
A very nice feature of compartment is that you can set Linux Capabilities. I can't explain here what this is, so go ahead do a man capset and take a look at linux-2.4.20/include/linux/capability.h (not on Devil-Linux !) or ask Google. ;-)
# $Source: /cvsroot/devil-linux/build/docs/documentation/documentation.xml,v $ # $Revision: 220.127.116.11 $ # $Date: 2004/06/16 17:12:53 $ # # http://www.devil-linux.org # # define the chroot-jail for Lotus Domino Server # name of the daemon NAME Lotus Domino # filename of the daemon # leave empty, if you want to start the daemon yourself #DAEMON /opt/lotus/bin/server # parameters to give to the daemon # leave empty, when you start the daemon yourself #PARAM # define user and group under which this daemon should run # leave empty, when you start the daemon yourself USER notes GROUP notes # set Linux capabilities # leave empty, when you start the daemon yourself #CAP CAP_NET_BIND_SERVICE # define this, if daemon needs another directory # when you specify this, the chroot jail is not cleaned upon initialization #JAILDIR /jail/DOMINO # define this, when the jail directory should not be emptied NODELETE 1 # define this, if the package should not be unpacked into the jail root directory #PACKAGEDIR / # devices to create # parameter: devicename type major minor user.group rights DEV null c 1 3 0.0 0666 DEV zero c 1 5 0.0 0666 DEV tty9 c 4 9 0.0 0666 # files and directories to copy COPY /etc/resolv.conf COPY /etc/services COPY /etc/host.conf COPY /etc/nsswitch.conf COPY /lib/libnss_dns* COPY /etc/localtime # copy the user/group from the main /etc/passwd and /etc/group files # this doesn't copy anything from /etc/shadow ! COPYUSER notes COPYGROUP notes # specify what should be mounted # MOUNT <device> <mount-point> <mount-parameters> MOUNT /dev/devil-linux/dominobin /opt -o ro,nodev MOUNT /dev/devil-linux/dominodata /var/data -o rw,noexec,nodev MOUNT none /proc -o ro,noexec,nodev -t proc