You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
62 lines
2.5 KiB
62 lines
2.5 KiB
diff --git a/bin/named/named.8 b/bin/named/named.8 |
|
index cd990a9..890be36 100644 |
|
--- a/bin/named/named.8 |
|
+++ b/bin/named/named.8 |
|
@@ -358,6 +358,57 @@ The default configuration file\&. |
|
/var/run/named/named\&.pid |
|
.RS 4 |
|
The default process\-id file\&. |
|
+.PP |
|
+.SH "NOTES" |
|
+.PP |
|
+.TP |
|
+\fBRed Hat SELinux BIND Security Profile:\fR |
|
+.PP |
|
+By default, Red Hat ships BIND with the most secure SELinux policy |
|
+that will not prevent normal BIND operation and will prevent exploitation |
|
+of all known BIND security vulnerabilities . See the selinux(8) man page |
|
+for information about SElinux. |
|
+.PP |
|
+It is not necessary to run named in a chroot environment if the Red Hat |
|
+SELinux policy for named is enabled. When enabled, this policy is far |
|
+more secure than a chroot environment. Users are recommended to enable |
|
+SELinux and remove the bind-chroot package. |
|
+.PP |
|
+With this extra security comes some restrictions: |
|
+.PP |
|
+By default, the SELinux policy does not allow named to write any master |
|
+zone database files. Only the root user may create files in the $ROOTDIR/var/named |
|
+zone database file directory (the options { "directory" } option), where |
|
+$ROOTDIR is set in /etc/sysconfig/named. |
|
+.PP |
|
+The "named" group must be granted read privelege to |
|
+these files in order for named to be enabled to read them. |
|
+.PP |
|
+Any file created in the zone database file directory is automatically assigned |
|
+the SELinux file context named_zone_t . |
|
+.PP |
|
+By default, SELinux prevents any role from modifying named_zone_t files; this |
|
+means that files in the zone database directory cannot be modified by dynamic |
|
+DNS (DDNS) updates or zone transfers. |
|
+.PP |
|
+The Red Hat BIND distribution and SELinux policy creates three directories where |
|
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic |
|
+/var/named/data. By placing files you want named to modify, such as |
|
+slave or DDNS updateable zone files and database / statistics dump files in |
|
+these directories, named will work normally and no further operator action is |
|
+required. Files in these directories are automatically assigned the 'named_cache_t' |
|
+file context, which SELinux allows named to write. |
|
+.PP |
|
+\fBRed Hat BIND SDB support:\fR |
|
+.PP |
|
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC |
|
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them |
|
+.PP |
|
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. |
|
+.PP |
|
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . |
|
+.br |
|
+.PP |
|
.RE |
|
.SH "SEE ALSO" |
|
.PP
|
|
|