]>
Commit | Line | Data |
---|---|---|
ac29baf9 SS |
1 | --- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100 |
2 | +++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100 | |
3 | @@ -205,6 +205,63 @@ | |
4 | \fI/var/run/named/named.pid\fR | |
5 | .RS 4 | |
6 | The default process\-id file. | |
7 | +.PP | |
8 | +.SH "NOTES" | |
9 | +.PP | |
10 | +.TP | |
11 | +\fBRed Hat SELinux BIND Security Profile:\fR | |
12 | +.PP | |
13 | +By default, Red Hat ships BIND with the most secure SELinux policy | |
14 | +that will not prevent normal BIND operation and will prevent exploitation | |
15 | +of all known BIND security vulnerabilities . See the selinux(8) man page | |
16 | +for information about SElinux. | |
17 | +.PP | |
18 | +It is not necessary to run named in a chroot environment if the Red Hat | |
19 | +SELinux policy for named is enabled. When enabled, this policy is far | |
20 | +more secure than a chroot environment. Users are recommended to enable | |
21 | +SELinux and remove the bind-chroot package. | |
22 | +.PP | |
23 | +With this extra security comes some restrictions: | |
24 | +.PP | |
25 | +By default, the SELinux policy does not allow named to write any master | |
26 | +zone database files. Only the root user may create files in the $ROOTDIR/var/named | |
27 | +zone database file directory (the options { "directory" } option), where | |
28 | +$ROOTDIR is set in /etc/sysconfig/named. | |
29 | +.PP | |
30 | +The "named" group must be granted read privelege to | |
31 | +these files in order for named to be enabled to read them. | |
32 | +.PP | |
33 | +Any file created in the zone database file directory is automatically assigned | |
34 | +the SELinux file context named_zone_t . | |
35 | +.PP | |
36 | +By default, SELinux prevents any role from modifying named_zone_t files; this | |
37 | +means that files in the zone database directory cannot be modified by dynamic | |
38 | +DNS (DDNS) updates or zone transfers. | |
39 | +.PP | |
40 | +The Red Hat BIND distribution and SELinux policy creates three directories where | |
41 | +named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic | |
42 | +/var/named/data. By placing files you want named to modify, such as | |
43 | +slave or DDNS updateable zone files and database / statistics dump files in | |
44 | +these directories, named will work normally and no further operator action is | |
45 | +required. Files in these directories are automatically assigned the 'named_cache_t' | |
46 | +file context, which SELinux allows named to write. | |
47 | +.PP | |
48 | +\fBRed Hat BIND SDB support:\fR | |
49 | +.PP | |
50 | +Red Hat ships named with compiled in Simplified Database Backend modules that ISC | |
51 | +provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them | |
52 | +.PP | |
53 | +The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. | |
54 | +.PP | |
55 | +See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . | |
56 | +.br | |
57 | +.PP | |
58 | +\fBRed Hat system-config-bind:\fR | |
59 | +.PP | |
60 | +Red Hat provides the system-config-bind GUI to configure named.conf and zone | |
61 | +database files. Run the "system-config-bind" command and access the manual | |
62 | +by selecting the Help menu. | |
63 | +.PP | |
64 | .RE | |
65 | .SH "SEE ALSO" | |
66 | .PP |