667fce
regenerate for non-DBUS builds
@@ -0,0 +1,78 @@
|
|
1
|
+
--- bind-9.3.2/bin/named/named.8.redhat_doc 2005-10-12 22:33:46.000000000 -0400
|
2
|
+
+++ bind-9.3.2/bin/named/named.8 2006-02-07 15:56:31.000000000 -0500
|
3
|
+
|
4
|
+
.TP
|
5
|
+
\fI/var/run/named.pid\fR
|
6
|
+
The default process\-id file.
|
7
|
+
+.PP
|
8
|
+
+.SH "NOTES"
|
9
|
+
+.PP
|
10
|
+
+.TP
|
11
|
+
+\fBRed Hat SELinux BIND Security Profile:\fR
|
12
|
+
+.PP
|
13
|
+
+By default, Red Hat ships BIND with the most secure SELinux policy
|
14
|
+
+that will not prevent normal BIND operation and will prevent exploitation
|
15
|
+
+of all known BIND security vulnerabilities . See the selinux(8) man page
|
16
|
+
+for information about SElinux.
|
17
|
+
+.PP
|
18
|
+
+It is not necessary to run named in a chroot environment if the Red Hat
|
19
|
+
+SELinux policy for named is enabled. When enabled, this policy is far
|
20
|
+
+more secure than a chroot environment. Users are recommended to enable
|
21
|
+
+SELinux and remove the bind-chroot package.
|
22
|
+
+.PP
|
23
|
+
+With this extra security comes some restrictions:
|
24
|
+
+.PP
|
25
|
+
+By default, the SELinux policy does not allow named to write any master
|
26
|
+
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
|
27
|
+
+zone database file directory (the options { "directory" } option), where
|
28
|
+
+$ROOTDIR is set in /etc/sysconfig/named.
|
29
|
+
+.PP
|
30
|
+
+The "named" group must be granted read privelege to
|
31
|
+
+these files in order for named to be enabled to read them.
|
32
|
+
+.PP
|
33
|
+
+Any file created in the zone database file directory is automatically assigned
|
34
|
+
+the SELinux file context named_zone_t .
|
35
|
+
+.PP
|
36
|
+
+By default, SELinux prevents any role from modifying named_zone_t files; this
|
37
|
+
+means that files in the zone database directory cannot be modified by dynamic
|
38
|
+
+DNS (DDNS) updates or zone transfers.
|
39
|
+
+.PP
|
40
|
+
+The Red Hat BIND distribution and SELinux policy creates two directories where
|
41
|
+
+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and
|
42
|
+
+$ROOTDIR/var/named/data. By placing files you want named to modify, such as
|
43
|
+
+slave or DDNS updateable zone files and database / statistics dump files in
|
44
|
+
+these directories, named will work normally and no further operator action is
|
45
|
+
+required. Files in these directories are automatically assigned the 'named_cache_t'
|
46
|
+
+file context, which SELinux allows named to write.
|
47
|
+
+.PP
|
48
|
+
+You can enable the named_t domain to write and create named_zone_t files by use
|
49
|
+
+of the SELinux tunable boolean variable "named_write_master_zones", using the
|
50
|
+
+setsebool(8) command or the system-config-security GUI . If you do this, you
|
51
|
+
+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to
|
52
|
+
+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory
|
53
|
+
+to named:named in order for named to be allowed to write them.
|
54
|
+
+.PP
|
55
|
+
+\fBRed Hat BIND named_sdb SDB support:\fR
|
56
|
+
+.PP
|
57
|
+
+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program,
|
58
|
+
+which is named compiled with the Simplified Database Backend modules that ISC
|
59
|
+
+provides in the "contrib/sdb" directory.
|
60
|
+
+.PP
|
61
|
+
+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb.
|
62
|
+
+.PP
|
63
|
+
+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes",
|
64
|
+
+and then the "service named start" named initscript will run named_sdb instead
|
65
|
+
+of named .
|
66
|
+
+.PP
|
67
|
+
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
|
68
|
+
+.br
|
69
|
+
+.PP
|
70
|
+
+\fBRed Hat system-config-bind:\fR
|
71
|
+
+.PP
|
72
|
+
+Red Hat provides the system-config-bind GUI to configure named.conf and zone
|
73
|
+
+database files. Run the "system-config-bind" command and access the manual
|
74
|
+
+by selecting the Help menu.
|
75
|
+
+.PP
|
76
|
+
.SH "SEE ALSO"
|
77
|
+
.PP
|
78
|
+
RFC 1033,
|