Blob Blame History Raw
From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 26 Nov 2020 12:13:10 +0100
Subject: [PATCH] Note specific Red Hat changes in manual page

Change docbook template instead of generated manual page. Remove
system-config-bind reference, package were discontinued.
---
 bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index 7e743a9..802bec3 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -516,6 +516,79 @@
 
   </refsection>
 
+  <refsection><info><title>NOTES</title></info>
+    <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
+
+    <para>
+    By default, Red Hat ships BIND with the most secure SELinux policy
+    that will not prevent normal BIND operation and will prevent exploitation
+    of all known BIND security vulnerabilities . See the selinux(8) man page
+    for information about SElinux.
+    </para>
+
+    <para>
+    It is not necessary to run named in a chroot environment if the Red Hat
+    SELinux policy for named is enabled. When enabled, this policy is far
+    more secure than a chroot environment. Users are recommended to enable
+    SELinux and remove the bind-chroot package.
+    </para>
+
+    <para>
+    With this extra security comes some restrictions:
+    </para>
+
+    <para>
+    By default, the SELinux policy allows named to write any master
+    zone database files. Only the root user may create files in the $ROOTDIR/var/named
+    zone database file directory (the options { "directory" } option), where
+    $ROOTDIR is set in /etc/sysconfig/named.
+    </para>
+
+    <para>
+    The "named" group must be granted read privelege to
+    these files in order for named to be enabled to read them.
+    </para>
+
+    <para>
+    Any file created in the zone database file directory is automatically assigned
+    the SELinux file context named_zone_t .
+    </para>
+
+    <para>
+    By default, SELinux prevents any role from modifying named_zone_t files; this
+    means that files in the zone database directory cannot be modified by dynamic
+    DNS (DDNS) updates or zone transfers.
+    </para>
+
+    <para>
+    The Red Hat BIND distribution and SELinux policy creates three directories where
+    named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+    /var/named/data. By placing files you want named to modify, such as
+    slave or DDNS updateable zone files and database / statistics dump files in
+    these directories, named will work normally and no further operator action is
+    required. Files in these directories are automatically assigned the 'named_cache_t'
+    file context, which SELinux allows named to write.
+    </para>
+    </refsection>
+
+    <refsection><info><title>Red Hat BIND SDB support</title></info>
+
+    <para>
+    Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+    provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
+    </para>
+
+    <para>
+    The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
+    </para>
+
+    <para>
+    See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+    </para>
+    </refsection>
+
+  </refsection>
+
   <refsection><info><title>SEE ALSO</title></info>
 
     <para><citetitle>RFC 1033</citetitle>,
-- 
2.26.2