diff options
Diffstat (limited to 'bind-9.3.3rc2-dbus.patch')
| -rw-r--r-- | bind-9.3.3rc2-dbus.patch | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/bind-9.3.3rc2-dbus.patch b/bind-9.3.3rc2-dbus.patch index 7eda95c..a8fbc97 100644 --- a/bind-9.3.3rc2-dbus.patch +++ b/bind-9.3.3rc2-dbus.patch @@ -725,77 +725,3 @@ .SH "SIGNALS" .PP In routine operation, signals should not be used to control the nameserver; -@@ -195,6 +202,73 @@ - \fBnamed\fR - configuration file is too complex to describe in detail here. A complete description is provided in the - BIND 9 Administrator Reference Manual. -+.PP -+.SH "NOTES" -+.PP -+.TP -+\fBRed Hat SELinux BIND Security Profile:\fR -+.PP -+By default, Red Hat ships BIND with the most secure SELinux policy -+that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page -+for information about SElinux. -+.PP -+It is not necessary to run named in a chroot environment if the Red Hat -+SELinux policy for named is enabled. When enabled, this policy is far -+more secure than a chroot environment. -+.PP -+With this extra security comes some restrictions: -+.br -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. -+.br -+The "named" group must be granted read privelege to -+these files in order for named to be enabled to read them. -+.br -+Any file created in the zone database file directory is automatically assigned -+the SELinux file context named_zone_t . -+.br -+By default, SELinux prevents any role from modifying named_zone_t files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+.br -+The Red Hat BIND distribution and SELinux policy creates two directories where -+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and -+$ROOTDIR/var/named/data. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the 'named_cache_t' -+file context, which SELinux allows named to write. -+.br -+You can enable the named_t domain to write and create named_zone_t files by use -+of the SELinux tunable boolean variable "named_write_master_zones", using the -+setsebool(8) command or the system-config-security GUI . If you do this, you -+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to -+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory -+to named:named in order for named to be allowed to write them. -+.PP -+\fBRed Hat BIND named_sdb SDB support:\fR -+.PP -+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program, -+which is named compiled with the Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. -+.br -+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb. -+.br -+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes", -+and then the "service named start" named initscript will run named_sdb instead -+of named . -+.br -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . -+.PP -+\fBRed Hat system-config-bind:\fR -+.PP -+Red Hat provides the system-config-bind GUI to configure named.conf and zone -+database files. Run the "system-config-bind" command and access the manual -+by selecting the Help menu. -+.PP - .SH "FILES" - .PP - \fI/etc/named.conf\fR |