diff options
Diffstat (limited to 'bind-9.3.1-redhat_doc.patch')
-rw-r--r-- | bind-9.3.1-redhat_doc.patch | 78 |
1 files changed, 0 insertions, 78 deletions
diff --git a/bind-9.3.1-redhat_doc.patch b/bind-9.3.1-redhat_doc.patch deleted file mode 100644 index 7262906..0000000 --- a/bind-9.3.1-redhat_doc.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- bind-9.3.1/bin/named/named.8.redhat_doc 2004-06-03 01:35:47.000000000 -0400 -+++ bind-9.3.1/bin/named/named.8 2005-05-17 21:22:25.000000000 -0400 -@@ -164,6 +164,75 @@ - .TP - \fB\fI/var/run/named.pid\fB\fR - The default process-id file. -+.PP -+.SH "NOTES" -+.PP -+.TP -+\fBRed Hat SELinux BIND Security Profile:\fR -+.PP -+By default, Red Hat ships BIND with the most secure SELinux policy -+that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page -+for information about SElinux. -+.PP -+It is not necessary to run named in a chroot environment if the Red Hat -+SELinux policy for named is enabled. When enabled, this policy is far -+more secure than a chroot environment. Users are recommended to enable -+SELinux and remove the bind-chroot package. -+.PP -+With this extra security comes some restrictions: -+.PP -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. -+.PP -+The "named" group must be granted read privelege to -+these files in order for named to be enabled to read them. -+.PP -+Any file created in the zone database file directory is automatically assigned -+the SELinux file context named_zone_t . -+.PP -+By default, SELinux prevents any role from modifying named_zone_t files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+.PP -+The Red Hat BIND distribution and SELinux policy creates two directories where -+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and -+$ROOTDIR/var/named/data. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the 'named_cache_t' -+file context, which SELinux allows named to write. -+.PP -+You can enable the named_t domain to write and create named_zone_t files by use -+of the SELinux tunable boolean variable "named_write_master_zones", using the -+setsebool(8) command or the system-config-security GUI . If you do this, you -+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to -+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory -+to named:named in order for named to be allowed to write them. -+.PP -+\fBRed Hat BIND named_sdb SDB support:\fR -+.PP -+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program, -+which is named compiled with the Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. -+.PP -+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb. -+.PP -+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes", -+and then the "service named start" named initscript will run named_sdb instead -+of named . -+.PP -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . -+.br -+.PP -+\fBRed Hat system-config-bind:\fR -+.PP -+Red Hat provides the system-config-bind GUI to configure named.conf and zone -+database files. Run the "system-config-bind" command and access the manual -+by selecting the Help menu. -+.PP - .SH "SEE ALSO" - .PP - \fIRFC 1033\fR, |