eb7207
From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
eb7207
From: Petr Mensik <pemensik@redhat.com>
eb7207
Date: Thu, 26 Nov 2020 12:13:10 +0100
eb7207
Subject: [PATCH] Note specific Red Hat changes in manual page
eb7207
eb7207
Change docbook template instead of generated manual page. Remove
eb7207
system-config-bind reference, package were discontinued.
eb7207
---
eb7207
 bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
eb7207
 1 file changed, 73 insertions(+)
eb7207
eb7207
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
eb7207
index 7e743a9..802bec3 100644
eb7207
--- a/bin/named/named.docbook
eb7207
+++ b/bin/named/named.docbook
eb7207
@@ -516,6 +516,79 @@
eb7207
 
eb7207
   </refsection>
eb7207
 
eb7207
+  <refsection><info><title>NOTES</title></info>
eb7207
+    <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
eb7207
+
eb7207
+    <para>
eb7207
+    By default, Red Hat ships BIND with the most secure SELinux policy
eb7207
+    that will not prevent normal BIND operation and will prevent exploitation
eb7207
+    of all known BIND security vulnerabilities . See the selinux(8) man page
eb7207
+    for information about SElinux.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    It is not necessary to run named in a chroot environment if the Red Hat
eb7207
+    SELinux policy for named is enabled. When enabled, this policy is far
eb7207
+    more secure than a chroot environment. Users are recommended to enable
eb7207
+    SELinux and remove the bind-chroot package.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    With this extra security comes some restrictions:
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    By default, the SELinux policy allows named to write any master
eb7207
+    zone database files. Only the root user may create files in the $ROOTDIR/var/named
eb7207
+    zone database file directory (the options { "directory" } option), where
eb7207
+    $ROOTDIR is set in /etc/sysconfig/named.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    The "named" group must be granted read privelege to
eb7207
+    these files in order for named to be enabled to read them.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    Any file created in the zone database file directory is automatically assigned
eb7207
+    the SELinux file context named_zone_t .
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    By default, SELinux prevents any role from modifying named_zone_t files; this
eb7207
+    means that files in the zone database directory cannot be modified by dynamic
eb7207
+    DNS (DDNS) updates or zone transfers.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    The Red Hat BIND distribution and SELinux policy creates three directories where
eb7207
+    named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
eb7207
+    /var/named/data. By placing files you want named to modify, such as
eb7207
+    slave or DDNS updateable zone files and database / statistics dump files in
eb7207
+    these directories, named will work normally and no further operator action is
eb7207
+    required. Files in these directories are automatically assigned the 'named_cache_t'
eb7207
+    file context, which SELinux allows named to write.
eb7207
+    </para>
eb7207
+    </refsection>
eb7207
+
eb7207
+    <refsection><info><title>Red Hat BIND SDB support</title></info>
eb7207
+
eb7207
+    <para>
eb7207
+    Red Hat ships named with compiled in Simplified Database Backend modules that ISC
eb7207
+    provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
eb7207
+    </para>
eb7207
+
eb7207
+    <para>
eb7207
+    See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
eb7207
+    </para>
eb7207
+    </refsection>
eb7207
+
eb7207
+  </refsection>
eb7207
+
eb7207
   <refsection><info><title>SEE ALSO</title></info>
eb7207
 
eb7207
     <para><citetitle>RFC 1033</citetitle>,
eb7207
-- 
eb7207
2.26.2
eb7207