The term chrooting comes from the chroot Unix system call and command-line utility. This system call changes the root directory of a given process and its children. Because a program cannot reach files outside the root directory, this command is commonly used to protect the rest of the operating system from potentially exposed applications. Each chrooted or jailed application running under chroot must have access to configuration and device files that it requires during normal operations. A good use example of chroot is the standard bind DNS server. For it to be running, bind needs a minimal set of support files:
[root@renault-4l ˜]# find /var/named/chroot | grep -v /var/named/chroot/proc
/var/named/chroot
/var/named/chroot/etc
/var/named/chroot/etc/named.conf.2006-9-7_15.1.19
/var/named/chroot/etc/localtime
/var/named/chroot/etc/named.conf.2006-9-7_14.32.16
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/rndc.key
/var/named/chroot/etc/named.rfc1912.zones
/var/named/chroot/etc/named.caching-nameserver.conf
/var/named/chroot/dev
/var/named/chroot/dev/random
/var/named/chroot/dev/null
/var/named/chroot/dev/zero
/var/named/chroot/var
/var/named/chroot/var/run
/var/named/chroot/var/run/dbus
/var/named/chroot/var/run/dbus/system_bus_socket
/var/named/chroot/var/run/named
/var/named/chroot/var/run/named/named.pid
/var/named/chroot/var/tmp
/var/named/chroot/var/named
/var/named/chroot/var/named/keyset-sabre.juniper.net.
/var/named/chroot/var/named/named.root
/var/named/chroot/var/named/named.zero
/var/named/chroot/var/named/Ksabre.juniper.net.+005+48897.key
/var/named/chroot/var/named/sabre.juniper.net.db.signed
/var/named/chroot/var/named/Ksabre.juniper.net.+005+03224.private
/var/named/chroot/var/named/named.zero.2006-9-7_15.1.18
/var/named/chroot/var/named/named.ip6.local
/var/named/chroot/var/named/named.broadcast
/var/named/chroot/var/named/Ksabre.juniper.net.+005+48897.private
/var/named/chroot/var/named/localdomain.zone
/var/named/chroot/var/named/10.157.12.db
/var/named/chroot/var/named/Ksabre.juniper.net.+005+03224.key
/var/named/chroot/var/named/localhost.zone
/var/named/chroot/var/named/dsset-sabre.juniper.net.
/var/named/chroot/var/named/named.ca
/var/named/chroot/var/named/sabre.juniper.net.db
/var/named/chroot/var/named/named.local
/var/named/chroot/var/named/data
/var/named/chroot/var/named/slavesThe default named starting script provided by Fedora Core includes the necessary configuration required by chroot to run named in a jail. In order to configure bind in a chroot environment, you should first create your configuration outside the jail and make sure it works. Then install the bind-chroot package. That package will create the basic jail tree and move all the previously created configuration files in the proper directories so that bind can run within the jail. If an attacker manages to remotely access your DNS server through bind, it will only be able to see and change files accessed by bind.
SELinux would also prevent access to files outside of bind's domain. I recommend running SELinux rather than spending the time and energy to manually jail all server processes running on your host.