[people/ms/ipfire-3.x.git] / bind / patches / bind-9.3.2-redhat_doc.patch

--- bind-9.4.0/bin/named/named.8.redhat_doc	2007-01-30 01:23:44.000000000 +0100
+++ bind-9.4.0/bin/named/named.8	2007-03-12 15:39:19.000000000 +0100
@@ -205,6 +205,63 @@
 \fI/var/run/named/named.pid\fR
 .RS 4
 The default process\-id file.
+.PP
+.SH "NOTES"
+.PP
+.TP
+\fBRed Hat SELinux BIND Security Profile:\fR
+.PP
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+.PP
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+.PP
+With this extra security comes some restrictions:
+.PP
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+.PP
+The "named" group must be granted read privelege to 
+these files in order for named to be enabled to read them. 
+.PP
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context named_zone_t .
+.PP
+By default, SELinux prevents any role from modifying named_zone_t files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+.PP
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+/var/named/data. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in 
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the 'named_cache_t'
+file context, which SELinux allows named to write.
+.PP
+\fBRed Hat BIND SDB support:\fR
+.PP
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
+.PP
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
+.PP
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+.br
+.PP
+\fBRed Hat system-config-bind:\fR
+.PP
+Red Hat provides the system-config-bind GUI to configure named.conf and zone
+database files. Run the "system-config-bind" command and access the manual
+by selecting the Help menu.
+.PP
 .RE
 .SH "SEE ALSO"
 .PP
Commit	Line	Data
ac29baf9 SS	1	--- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100
	2	+++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100
	3	@@ -205,6 +205,63 @@
	4	\fI/var/run/named/named.pid\fR
	5	.RS 4
	6	The default process\-id file.
	7	+.PP
	8	+.SH "NOTES"
	9	+.PP
	10	+.TP
	11	+\fBRed Hat SELinux BIND Security Profile:\fR
	12	+.PP
	13	+By default, Red Hat ships BIND with the most secure SELinux policy
	14	+that will not prevent normal BIND operation and will prevent exploitation
	15	+of all known BIND security vulnerabilities . See the selinux(8) man page
	16	+for information about SElinux.
	17	+.PP
	18	+It is not necessary to run named in a chroot environment if the Red Hat
	19	+SELinux policy for named is enabled. When enabled, this policy is far
	20	+more secure than a chroot environment. Users are recommended to enable
	21	+SELinux and remove the bind-chroot package.
	22	+.PP
	23	+With this extra security comes some restrictions:
	24	+.PP
	25	+By default, the SELinux policy does not allow named to write any master
	26	+zone database files. Only the root user may create files in the $ROOTDIR/var/named
	27	+zone database file directory (the options { "directory" } option), where
	28	+$ROOTDIR is set in /etc/sysconfig/named.
	29	+.PP
	30	+The "named" group must be granted read privelege to
	31	+these files in order for named to be enabled to read them.
	32	+.PP
	33	+Any file created in the zone database file directory is automatically assigned
	34	+the SELinux file context named_zone_t .
	35	+.PP
	36	+By default, SELinux prevents any role from modifying named_zone_t files; this
	37	+means that files in the zone database directory cannot be modified by dynamic
	38	+DNS (DDNS) updates or zone transfers.
	39	+.PP
	40	+The Red Hat BIND distribution and SELinux policy creates three directories where
	41	+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
	42	+/var/named/data. By placing files you want named to modify, such as
	43	+slave or DDNS updateable zone files and database / statistics dump files in
	44	+these directories, named will work normally and no further operator action is
	45	+required. Files in these directories are automatically assigned the 'named_cache_t'
	46	+file context, which SELinux allows named to write.
	47	+.PP
	48	+\fBRed Hat BIND SDB support:\fR
	49	+.PP
	50	+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
	51	+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
	52	+.PP
	53	+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
	54	+.PP
	55	+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
	56	+.br
	57	+.PP
	58	+\fBRed Hat system-config-bind:\fR
	59	+.PP
	60	+Red Hat provides the system-config-bind GUI to configure named.conf and zone
	61	+database files. Run the "system-config-bind" command and access the manual
	62	+by selecting the Help menu.
	63	+.PP
	64	.RE
65	.SH "SEE ALSO"
66	.PP