| diff --git a/bin/named/named.8 b/bin/named/named.8 |
| index ef10ef4..3150b22 100644 |
| |
| |
| @@ -349,6 +349,63 @@ The default configuration file\&. |
| /var/run/named/named\&.pid |
| .RS 4 |
| The default process\-id file\&. |
| +.PP |
| +.SH "NOTES" |
| +.PP |
| +.TP |
| +\fBRed Hat SELinux BIND Security Profile:\fR |
| +.PP |
| +By default, Red Hat ships BIND with the most secure SELinux policy |
| +that will not prevent normal BIND operation and will prevent exploitation |
| +of all known BIND security vulnerabilities . See the selinux(8) man page |
| +for information about SElinux. |
| +.PP |
| +It is not necessary to run named in a chroot environment if the Red Hat |
| +SELinux policy for named is enabled. When enabled, this policy is far |
| +more secure than a chroot environment. Users are recommended to enable |
| +SELinux and remove the bind-chroot package. |
| +.PP |
| +With this extra security comes some restrictions: |
| +.PP |
| +By default, the SELinux policy does not allow named to write any master |
| +zone database files. Only the root user may create files in the $ROOTDIR/var/named |
| +zone database file directory (the options { "directory" } option), where |
| +$ROOTDIR is set in /etc/sysconfig/named. |
| +.PP |
| +The "named" group must be granted read privelege to |
| +these files in order for named to be enabled to read them. |
| +.PP |
| +Any file created in the zone database file directory is automatically assigned |
| +the SELinux file context named_zone_t . |
| +.PP |
| +By default, SELinux prevents any role from modifying named_zone_t files; this |
| +means that files in the zone database directory cannot be modified by dynamic |
| +DNS (DDNS) updates or zone transfers. |
| +.PP |
| +The Red Hat BIND distribution and SELinux policy creates three directories where |
| +named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic |
| +/var/named/data. By placing files you want named to modify, such as |
| +slave or DDNS updateable zone files and database / statistics dump files in |
| +these directories, named will work normally and no further operator action is |
| +required. Files in these directories are automatically assigned the 'named_cache_t' |
| +file context, which SELinux allows named to write. |
| +.PP |
| +\fBRed Hat BIND SDB support:\fR |
| +.PP |
| +Red Hat ships named with compiled in Simplified Database Backend modules that ISC |
| +provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them |
| +.PP |
| +The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. |
| +.PP |
| +See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . |
| +.br |
| +.PP |
| +\fBRed Hat system-config-bind:\fR |
| +.PP |
| +Red Hat provides the system-config-bind GUI to configure named.conf and zone |
| +database files. Run the "system-config-bind" command and access the manual |
| +by selecting the Help menu. |
| +.PP |
| .RE |
| .SH "SEE ALSO" |
| .PP |