rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity
1984850958
bind/bind-9.16-redhat_doc.patch
DistroBaker 1984850958 Merged update from upstream sources 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/bind.git#84e2317aef685da5ba32268db0d9abe7b9799362
2021-01-22 20:42:08 +00:00

75 lines
2.9 KiB
Diff
Raw Blame History

From 86fd25f3f0c5189fa93e10c6afa1a1cffe639ade Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 17 Jun 2020 23:17:13 +0200
Subject: [PATCH] Update man named with Red Hat specifics
This is almost unmodified text and requires revalidation. Some of those
statements are no longer correct.
---
bin/named/named.rst | 49 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/bin/named/named.rst b/bin/named/named.rst
index 3c54a67..c44b6d7 100644
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -228,6 +228,55 @@ Files
``/var/run/named/named.pid``
The default process-id file.
+Notes
+~~~~~
+
+**Red Hat SELinux BIND Security Profile:**
+
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+
+*With this extra security comes some restrictions:*
+
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context *named_zone_t* .
+
+By default, SELinux prevents any role from modifying *named_zone_t* files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+*/var/named/data*. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the '*named_cache_t*'
+file context, which SELinux allows named to write.
+
+**Red Hat BIND SDB support:**
+
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+provides in the "contrib/sdb" directory. Install **bind-sdb** package if you want use them
+
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into *named-sdb*.
+
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+
See Also
~~~~~~~~
--
2.26.2
Reference in New Issue View Git Blame Copy Permalink