e48f32
From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
e48f32
From: Petr Mensik <pemensik@redhat.com>
e48f32
Date: Thu, 26 Nov 2020 12:13:10 +0100
e48f32
Subject: [PATCH] Note specific Red Hat changes in manual page
e48f32
e48f32
Change docbook template instead of generated manual page. Remove
e48f32
system-config-bind reference, package were discontinued.
e48f32
---
e48f32
 bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
e48f32
 1 file changed, 73 insertions(+)
e48f32
e48f32
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
e48f32
index 7e743a9..802bec3 100644
e48f32
--- a/bin/named/named.docbook
e48f32
+++ b/bin/named/named.docbook
e48f32
@@ -516,6 +516,79 @@
e48f32
 
e48f32
   </refsection>
e48f32
 
e48f32
+  <refsection><info><title>NOTES</title></info>
e48f32
+    <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
e48f32
+
e48f32
+    <para>
e48f32
+    By default, Red Hat ships BIND with the most secure SELinux policy
e48f32
+    that will not prevent normal BIND operation and will prevent exploitation
e48f32
+    of all known BIND security vulnerabilities . See the selinux(8) man page
e48f32
+    for information about SElinux.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    It is not necessary to run named in a chroot environment if the Red Hat
e48f32
+    SELinux policy for named is enabled. When enabled, this policy is far
e48f32
+    more secure than a chroot environment. Users are recommended to enable
e48f32
+    SELinux and remove the bind-chroot package.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    With this extra security comes some restrictions:
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    By default, the SELinux policy allows named to write any master
e48f32
+    zone database files. Only the root user may create files in the $ROOTDIR/var/named
e48f32
+    zone database file directory (the options { "directory" } option), where
e48f32
+    $ROOTDIR is set in /etc/sysconfig/named.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    The "named" group must be granted read privelege to
e48f32
+    these files in order for named to be enabled to read them.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    Any file created in the zone database file directory is automatically assigned
e48f32
+    the SELinux file context named_zone_t .
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    By default, SELinux prevents any role from modifying named_zone_t files; this
e48f32
+    means that files in the zone database directory cannot be modified by dynamic
e48f32
+    DNS (DDNS) updates or zone transfers.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    The Red Hat BIND distribution and SELinux policy creates three directories where
e48f32
+    named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
e48f32
+    /var/named/data. By placing files you want named to modify, such as
e48f32
+    slave or DDNS updateable zone files and database / statistics dump files in
e48f32
+    these directories, named will work normally and no further operator action is
e48f32
+    required. Files in these directories are automatically assigned the 'named_cache_t'
e48f32
+    file context, which SELinux allows named to write.
e48f32
+    </para>
e48f32
+    </refsection>
e48f32
+
e48f32
+    <refsection><info><title>Red Hat BIND SDB support</title></info>
e48f32
+
e48f32
+    <para>
e48f32
+    Red Hat ships named with compiled in Simplified Database Backend modules that ISC
e48f32
+    provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
e48f32
+    </para>
e48f32
+
e48f32
+    <para>
e48f32
+    See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
e48f32
+    </para>
e48f32
+    </refsection>
e48f32
+
e48f32
+  </refsection>
e48f32
+
e48f32
   <refsection><info><title>SEE ALSO</title></info>
e48f32
 
e48f32
     <para><citetitle>RFC 1033</citetitle>,
e48f32
-- 
e48f32
2.26.2
e48f32