rpms/bind9-next
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ad1c46614e
bind9-next/bind-9.16-redhat_doc.patch
Petr Menšík 990ae7c669 Import some data from bind branch bind9-dev 
Imports commit  7e1db866748aef3c07657e0761b19aec6de9bf6f
2023-01-27 18:24:45 +01:00

66 lines
2.5 KiB
Diff
Raw Blame History

From baec1c0c1822d3ba89cc7e5e530888c865a899f7 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 17 Jun 2020 23:17:13 +0200
Subject: [PATCH] Update man named with Red Hat specifics
This is almost unmodified text and requires revalidation. Some of those
statements are no longer correct.
---
bin/named/named.rst | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/bin/named/named.rst b/bin/named/named.rst
index 3fa96e0..4390e73 100644
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -236,6 +236,46 @@ Files
``/var/run/named/named.pid``
The default process-id file.
+Notes
+~~~~~
+
+**Red Hat SELinux BIND Security Profile:**
+
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+
+*With this extra security comes some restrictions:*
+
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context *named_zone_t* .
+
+By default, SELinux prevents any role from modifying *named_zone_t* files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+*/var/named/data*. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the '*named_cache_t*'
+file context, which SELinux allows named to write.
+
See Also
~~~~~~~~
--
2.31.1
Reference in New Issue View Git Blame Copy Permalink