99 lines
3.5 KiB
Diff
99 lines
3.5 KiB
Diff
From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Thu, 26 Nov 2020 12:13:10 +0100
|
|
Subject: [PATCH] Note specific Red Hat changes in manual page
|
|
|
|
Change docbook template instead of generated manual page. Remove
|
|
system-config-bind reference, package were discontinued.
|
|
---
|
|
bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 73 insertions(+)
|
|
|
|
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
|
|
index 7e743a9..802bec3 100644
|
|
--- a/bin/named/named.docbook
|
|
+++ b/bin/named/named.docbook
|
|
@@ -516,6 +516,79 @@
|
|
|
|
</refsection>
|
|
|
|
+ <refsection><info><title>NOTES</title></info>
|
|
+ <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
|
|
+
|
|
+ <para>
|
|
+ By default, Red Hat ships BIND with the most secure SELinux policy
|
|
+ that will not prevent normal BIND operation and will prevent exploitation
|
|
+ of all known BIND security vulnerabilities . See the selinux(8) man page
|
|
+ for information about SElinux.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ It is not necessary to run named in a chroot environment if the Red Hat
|
|
+ SELinux policy for named is enabled. When enabled, this policy is far
|
|
+ more secure than a chroot environment. Users are recommended to enable
|
|
+ SELinux and remove the bind-chroot package.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ With this extra security comes some restrictions:
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ By default, the SELinux policy allows named to write any master
|
|
+ zone database files. Only the root user may create files in the $ROOTDIR/var/named
|
|
+ zone database file directory (the options { "directory" } option), where
|
|
+ $ROOTDIR is set in /etc/sysconfig/named.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ The "named" group must be granted read privelege to
|
|
+ these files in order for named to be enabled to read them.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ Any file created in the zone database file directory is automatically assigned
|
|
+ the SELinux file context named_zone_t .
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ By default, SELinux prevents any role from modifying named_zone_t files; this
|
|
+ means that files in the zone database directory cannot be modified by dynamic
|
|
+ DNS (DDNS) updates or zone transfers.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ The Red Hat BIND distribution and SELinux policy creates three directories where
|
|
+ named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
|
|
+ /var/named/data. By placing files you want named to modify, such as
|
|
+ slave or DDNS updateable zone files and database / statistics dump files in
|
|
+ these directories, named will work normally and no further operator action is
|
|
+ required. Files in these directories are automatically assigned the 'named_cache_t'
|
|
+ file context, which SELinux allows named to write.
|
|
+ </para>
|
|
+ </refsection>
|
|
+
|
|
+ <refsection><info><title>Red Hat BIND SDB support</title></info>
|
|
+
|
|
+ <para>
|
|
+ Red Hat ships named with compiled in Simplified Database Backend modules that ISC
|
|
+ provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
|
|
+ </para>
|
|
+ </refsection>
|
|
+
|
|
+ </refsection>
|
|
+
|
|
<refsection><info><title>SEE ALSO</title></info>
|
|
|
|
<para><citetitle>RFC 1033</citetitle>,
|
|
--
|
|
2.26.2
|
|
|