From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Thu, 26 Nov 2020 12:13:10 +0100 Subject: [PATCH] Note specific Red Hat changes in manual page Change docbook template instead of generated manual page. Remove system-config-bind reference, package were discontinued. --- bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/bin/named/named.docbook b/bin/named/named.docbook index 7e743a9..802bec3 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -516,6 +516,79 @@ + NOTES + Red Hat SELinux BIND Security Profile + + + By default, Red Hat ships BIND with the most secure SELinux policy + that will not prevent normal BIND operation and will prevent exploitation + of all known BIND security vulnerabilities . See the selinux(8) man page + for information about SElinux. + + + + It is not necessary to run named in a chroot environment if the Red Hat + SELinux policy for named is enabled. When enabled, this policy is far + more secure than a chroot environment. Users are recommended to enable + SELinux and remove the bind-chroot package. + + + + With this extra security comes some restrictions: + + + + By default, the SELinux policy allows named to write any master + zone database files. Only the root user may create files in the $ROOTDIR/var/named + zone database file directory (the options { "directory" } option), where + $ROOTDIR is set in /etc/sysconfig/named. + + + + The "named" group must be granted read privelege to + these files in order for named to be enabled to read them. + + + + Any file created in the zone database file directory is automatically assigned + the SELinux file context named_zone_t . + + + + By default, SELinux prevents any role from modifying named_zone_t files; this + means that files in the zone database directory cannot be modified by dynamic + DNS (DDNS) updates or zone transfers. + + + + The Red Hat BIND distribution and SELinux policy creates three directories where + named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic + /var/named/data. By placing files you want named to modify, such as + slave or DDNS updateable zone files and database / statistics dump files in + these directories, named will work normally and no further operator action is + required. Files in these directories are automatically assigned the 'named_cache_t' + file context, which SELinux allows named to write. + + + + Red Hat BIND SDB support + + + Red Hat ships named with compiled in Simplified Database Backend modules that ISC + provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them. + + + + The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. + + + + See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . + + + + + SEE ALSO RFC 1033, -- 2.26.2