diff options
| author | Adam Tkac <atkac@fedoraproject.org> | 2007-06-05 12:16:15 +0000 |
|---|---|---|
| committer | Adam Tkac <atkac@fedoraproject.org> | 2007-06-05 12:16:15 +0000 |
| commit | b312fa5c8ec58aad65aaff4200ee4060dd4013de (patch) | |
| tree | 794c4705b7b77da8ba14452003e3b35fa24bcc91 | |
| parent | 7ee3a53ecc4e321eb1a16f2360f1a932c86d1737 (diff) | |
| download | bind-b312fa5c8ec58aad65aaff4200ee4060dd4013de.tar.gz bind-b312fa5c8ec58aad65aaff4200ee4060dd4013de.tar.xz bind-b312fa5c8ec58aad65aaff4200ee4060dd4013de.zip | |
- added /var/named/dynamic directory which is primary designed for dynamicbind-9_4_1-5_fc7
DNS zones
| -rw-r--r-- | .cvsignore | 4 | ||||
| -rw-r--r-- | bind-9.3.1-redhat_doc.patch | 78 | ||||
| -rw-r--r-- | bind-9.3.2-redhat_doc.patch | 11 | ||||
| -rw-r--r-- | bind-chroot-admin.in | 29 | ||||
| -rw-r--r-- | bind.spec | 16 | ||||
| -rw-r--r-- | sources | 4 |
6 files changed, 37 insertions, 105 deletions
@@ -1,3 +1,3 @@ -bind-chroot.tar.gz -libbind-man.tar.gz bind-9.4.1.tar.gz +libbind-man.tar.gz +bind-chroot.tar.bz2 diff --git a/bind-9.3.1-redhat_doc.patch b/bind-9.3.1-redhat_doc.patch deleted file mode 100644 index 7262906..0000000 --- a/bind-9.3.1-redhat_doc.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- bind-9.3.1/bin/named/named.8.redhat_doc 2004-06-03 01:35:47.000000000 -0400 -+++ bind-9.3.1/bin/named/named.8 2005-05-17 21:22:25.000000000 -0400 -@@ -164,6 +164,75 @@ - .TP - \fB\fI/var/run/named.pid\fB\fR - The default process-id file. -+.PP -+.SH "NOTES" -+.PP -+.TP -+\fBRed Hat SELinux BIND Security Profile:\fR -+.PP -+By default, Red Hat ships BIND with the most secure SELinux policy -+that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page -+for information about SElinux. -+.PP -+It is not necessary to run named in a chroot environment if the Red Hat -+SELinux policy for named is enabled. When enabled, this policy is far -+more secure than a chroot environment. Users are recommended to enable -+SELinux and remove the bind-chroot package. -+.PP -+With this extra security comes some restrictions: -+.PP -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. -+.PP -+The "named" group must be granted read privelege to -+these files in order for named to be enabled to read them. -+.PP -+Any file created in the zone database file directory is automatically assigned -+the SELinux file context named_zone_t . -+.PP -+By default, SELinux prevents any role from modifying named_zone_t files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+.PP -+The Red Hat BIND distribution and SELinux policy creates two directories where -+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and -+$ROOTDIR/var/named/data. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the 'named_cache_t' -+file context, which SELinux allows named to write. -+.PP -+You can enable the named_t domain to write and create named_zone_t files by use -+of the SELinux tunable boolean variable "named_write_master_zones", using the -+setsebool(8) command or the system-config-security GUI . If you do this, you -+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to -+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory -+to named:named in order for named to be allowed to write them. -+.PP -+\fBRed Hat BIND named_sdb SDB support:\fR -+.PP -+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program, -+which is named compiled with the Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. -+.PP -+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb. -+.PP -+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes", -+and then the "service named start" named initscript will run named_sdb instead -+of named . -+.PP -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . -+.br -+.PP -+\fBRed Hat system-config-bind:\fR -+.PP -+Red Hat provides the system-config-bind GUI to configure named.conf and zone -+database files. Run the "system-config-bind" command and access the manual -+by selecting the Help menu. -+.PP - .SH "SEE ALSO" - .PP - \fIRFC 1033\fR, diff --git a/bind-9.3.2-redhat_doc.patch b/bind-9.3.2-redhat_doc.patch index 1d1a87a..69593c1 100644 --- a/bind-9.3.2-redhat_doc.patch +++ b/bind-9.3.2-redhat_doc.patch @@ -1,6 +1,6 @@ --- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100 +++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100 -@@ -205,6 +205,75 @@ +@@ -205,6 +205,76 @@ \fI/var/run/named.pid\fR .RS 4 The default process\-id file. @@ -37,9 +37,9 @@ +means that files in the zone database directory cannot be modified by dynamic +DNS (DDNS) updates or zone transfers. +.PP -+The Red Hat BIND distribution and SELinux policy creates two directories where -+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and -+$ROOTDIR/var/named/data. By placing files you want named to modify, such as ++The Red Hat BIND distribution and SELinux policy creates three directories where ++named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic ++and /var/named/data. By placing files you want named to modify, such as +slave or DDNS updateable zone files and database / statistics dump files in +these directories, named will work normally and no further operator action is +required. Files in these directories are automatically assigned the 'named_cache_t' @@ -50,7 +50,8 @@ +setsebool(8) command or the system-config-security GUI . If you do this, you +must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to +1 / yes to set the ownership of files in the $ROOTDIR/var/named directory -+to named:named in order for named to be allowed to write them. ++to named:named in order for named to be allowed to write them. ++NOTE: this approach is deprecated and will be drop in future releases +.PP +\fBRed Hat BIND named_sdb SDB support:\fR +.PP diff --git a/bind-chroot-admin.in b/bind-chroot-admin.in index 3ff3e58..6bcc3eb 100644 --- a/bind-chroot-admin.in +++ b/bind-chroot-admin.in @@ -78,18 +78,18 @@ function check_dirs() /bin/chown root:named /etc/sysconfig/named; /bin/chmod 0640 /etc/sysconfig/named; fi - /bin/mkdir -p ${BIND_DIR}/{slaves,data}; + /bin/mkdir -p ${BIND_DIR}/{slaves,data,dynamic}; /bin/chown --preserve-root root:named ${BIND_DIR}; - /bin/chown --preserve-root named:named ${BIND_DIR}/{slaves,data}; + /bin/chown --preserve-root named:named ${BIND_DIR}/{slaves,data,dynamic}; /bin/chmod --preserve-root 750 ${BIND_DIR} - /bin/chmod --preserve-root 770 ${BIND_DIR}/{slaves,data}; + /bin/chmod --preserve-root 770 ${BIND_DIR}/{slaves,data,dynamic}; - mkdir -p ${BIND_CHROOT_PREFIX}/{etc,dev,var/{run/named,named/{slaves,data}}}; + mkdir -p ${BIND_CHROOT_PREFIX}/{etc,dev,var/{run/named,named/{slaves,data,dynamic}}}; /bin/chown --preserve-root root:named ${BIND_CHROOT_PREFIX}/{etc,dev,var/{run,named/}}; /bin/chown --preserve-root root:named ${BIND_CHROOT_PREFIX}/var; /bin/chmod --preserve-root 750 ${BIND_CHROOT_PREFIX}/{,etc,dev,var,var/{run,named/}}; - /bin/chown --preserve-root named:named ${BIND_CHROOT_PREFIX}/var/{run/named,named/{data,slaves}}; - /bin/chmod --preserve-root 770 ${BIND_CHROOT_PREFIX}/var/{run/named,named/{slaves,data}}; + /bin/chown --preserve-root named:named ${BIND_CHROOT_PREFIX}/var/{run/named,named/{data,slaves,dynamic}}; + /bin/chmod --preserve-root 770 ${BIND_CHROOT_PREFIX}/var/{run/named,named/{slaves,data,dynamic}}; [ ! -e "${BIND_CHROOT_PREFIX}/dev/random" ] && /bin/mknod "${BIND_CHROOT_PREFIX}/dev/random" c 1 8 [ ! -e "${BIND_CHROOT_PREFIX}/dev/zero" ] && /bin/mknod "${BIND_CHROOT_PREFIX}/dev/zero" c 1 5 @@ -238,7 +238,7 @@ function sync_files() changed=`/bin/mktemp /tmp/XXXXXX`; rm -f $changed if [ $ENABLED -eq 0 ] ; then # chroot is enabled - /usr/bin/find /{etc/{named.*,rndc.*},${BIND_DIR#/}{/*,/data/*,/slaves/*}} -maxdepth 0 -type f | + /usr/bin/find /{etc/{named.*,rndc.*},${BIND_DIR#/}{/*,/data/*,/slaves/*,/dynamic/*}} -maxdepth 0 -type f | while read f; do replace_with_link ${BIND_CHROOT_PREFIX}/$f $f; @@ -251,7 +251,7 @@ function sync_files() done pfx=${BIND_CHROOT_PREFIX} else # chroot is disabled - /usr/bin/find /var/named/chroot/{etc/{named.*,rndc.*},var/named{/*,/data/*,/slaves/*}} -maxdepth 0 | + /usr/bin/find /var/named/chroot/{etc/{named.*,rndc.*},var/named{/*,/data/*,/slaves/*,/dynamic/*}} -maxdepth 0 | while read f; do if [ ! -d "$f" ]; then @@ -280,11 +280,11 @@ function sync_files() chmod 750 ${pfx}/var/named >/dev/null 2>&1; chmod 640 ${pfx}/var/named/* >/dev/null 2>&1; chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1; - chown -h named:named /var/named/{data{,/*},slaves{,*/}} >/dev/null 2>&1; - chown -h named:named ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,*/}} >/dev/null 2>&1; - chmod 770 ${pfx}/var/named/{data,slaves} >/dev/null 2>&1; - chmod 660 ${pfx}/var/named/{data/*,slaves/*} >/dev/null 2>&1; - chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.} >/dev/null 2>&1; + chown -h named:named /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1; + chown -h named:named ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1; + chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null 2>&1; + chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*} >/dev/null 2>&1; + chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.} >/dev/null 2>&1; if [ -e $changed ]; then if selinux_enabled && [ -x /sbin/restorecon ]; then /sbin/restorecon -R ${BIND_CHROOT_PREFIX}/etc ${BIND_CHROOT_PREFIX}/var/named ${BIND_CHROOT_PREFIX}/var/run/named >/dev/null 2>&1; @@ -295,7 +295,7 @@ function sync_files() /sbin/restorecon /etc/rndc.key >/dev/null 2>&1; /sbin/restorecon /etc/rndc.conf >/dev/null 2>&1; /sbin/restorecon /var/named{/,/*} >/dev/null 2>&1; - /sbin/restorecon /var/named/{slaves,data}{/,/*} >/dev/null 2>&1; + /sbin/restorecon /var/named/{slaves,data,dynamic}{/,/*} >/dev/null 2>&1; /sbin/restorecon /var/named/named.ca ${BIND_CHROOT_PREFIX}/var/named/named.ca >/dev/null 2>&1; /sbin/restorecon ${BIND_CHROOT_PREFIX} >/dev/null 2>&1; /sbin/restorecon /var/named/named.ca >/dev/null 2>&1; @@ -319,6 +319,7 @@ function clean_root() rmdir ${BIND_CHROOT_PREFIX}/var/run/dbus >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/run >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/named/slaves >/dev/null 2>&1 || :; + rmdir ${BIND_CHROOT_PREFIX}/var/named/dynamic >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/named/data >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/named >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/tmp >/dev/null 2>&1 || :; @@ -17,7 +17,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: BSD-like Version: 9.4.1 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 31 Url: http://www.isc.org/products/BIND/ Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -29,7 +29,7 @@ Source2: named.init Source3: named.logrotate Source4: keygen.c Source5: rfc1912.txt -Source6: bind-chroot.tar.gz +Source6: bind-chroot.tar.bz2 Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: http://www.venaas.no/ldap/bind-sdb/dnszone.schema Source9: libbind-man.tar.gz @@ -375,11 +375,12 @@ mkdir -p ${RPM_BUILD_ROOT}/usr/{bin,lib,sbin,include} mkdir -p ${RPM_BUILD_ROOT}/var/named mkdir -p ${RPM_BUILD_ROOT}/var/named/slaves mkdir -p ${RPM_BUILD_ROOT}/var/named/data +mkdir -p ${RPM_BUILD_ROOT}/var/named/dynamic mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} mkdir -p ${RPM_BUILD_ROOT}/var/run/named #chroot mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix} -tar --no-same-owner -zxvf %{SOURCE6} --directory ${RPM_BUILD_ROOT}/%{chroot_prefix} +tar --no-same-owner -jxvf %{SOURCE6} --directory ${RPM_BUILD_ROOT}/%{chroot_prefix} # these are required to prevent them being erased during upgrade of previous # versions that included them (bug #130121): touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf @@ -478,7 +479,7 @@ for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.int echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; done -/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.182 2007/05/24 14:16:40 atkac Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ +/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.183 2007/06/05 12:16:15 atkac Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ *\ * NOTE: you only need to create this file if it is to\ * differ from the following default contents: @@ -628,6 +629,7 @@ rm -rf ${RPM_BUILD_ROOT} %dir /var/named %defattr(0660,named,named,0770) %dir /var/named/slaves +%dir /var/named/dynamic %dir /var/named/data %dir /var/run/named %defattr(0754,root,root,0750) @@ -761,6 +763,7 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0660,named,named,0770) %dir %prefix/var/named/slaves %dir %prefix/var/named/data +%dir %prefix/var/named/dynamic %dir %prefix/var/run/named %dir %prefix/var/tmp %ghost %prefix/dev/null @@ -806,6 +809,11 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Jun 05 2007 Adam Tkac <atkac redhat com> 31:9.4.1-5.fc7 +- added /var/named/dynamic directory. This directory is primary designed + for dynamic DNS zones. In future releases named could write only into + dynamic, data and slaves directories + * Thu May 24 2007 Adam Tkac <atkac redhat com> 31:9.4.1-4.fc7 - start using deprecated ldap API - fix minor bug in bind-chroot-admin (#241103) @@ -1,3 +1,3 @@ -3567c35a24cb83a8a69443a399bbb6c8 bind-chroot.tar.gz -13fef79f99fcefebb51d84b08805de51 libbind-man.tar.gz 09b54d35036cb0423b2e618f21766285 bind-9.4.1.tar.gz +13fef79f99fcefebb51d84b08805de51 libbind-man.tar.gz +5306e4032389c2a8ddba678882bc82ad bind-chroot.tar.bz2 |