bc5dde
--- bind-9.4.0/bin/named/named.8.redhat_doc	2007-01-30 01:23:44.000000000 +0100
bc5dde
+++ bind-9.4.0/bin/named/named.8	2007-03-12 15:39:19.000000000 +0100
d56ed2
@@ -205,6 +205,57 @@
bc5dde
 \fI/var/run/named/named.pid\fR
bc5dde
 .RS 4
bc5dde
 The default process\-id file.
bc5dde
+.PP
bc5dde
+.SH "NOTES"
bc5dde
+.PP
bc5dde
+.TP
bc5dde
+\fBRed Hat SELinux BIND Security Profile:\fR
bc5dde
+.PP
bc5dde
+By default, Red Hat ships BIND with the most secure SELinux policy
bc5dde
+that will not prevent normal BIND operation and will prevent exploitation
bc5dde
+of all known BIND security vulnerabilities . See the selinux(8) man page
bc5dde
+for information about SElinux.
bc5dde
+.PP
bc5dde
+It is not necessary to run named in a chroot environment if the Red Hat
bc5dde
+SELinux policy for named is enabled. When enabled, this policy is far
bc5dde
+more secure than a chroot environment. Users are recommended to enable
bc5dde
+SELinux and remove the bind-chroot package.
bc5dde
+.PP
bc5dde
+With this extra security comes some restrictions:
bc5dde
+.PP
bc5dde
+By default, the SELinux policy does not allow named to write any master
bc5dde
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
bc5dde
+zone database file directory (the options { "directory" } option), where
bc5dde
+$ROOTDIR is set in /etc/sysconfig/named.
bc5dde
+.PP
bc5dde
+The "named" group must be granted read privelege to 
bc5dde
+these files in order for named to be enabled to read them. 
bc5dde
+.PP
bc5dde
+Any file created in the zone database file directory is automatically assigned
bc5dde
+the SELinux file context named_zone_t .
bc5dde
+.PP
bc5dde
+By default, SELinux prevents any role from modifying named_zone_t files; this
bc5dde
+means that files in the zone database directory cannot be modified by dynamic
bc5dde
+DNS (DDNS) updates or zone transfers.
bc5dde
+.PP
bc5dde
+The Red Hat BIND distribution and SELinux policy creates three directories where
bc5dde
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
bc5dde
+/var/named/data. By placing files you want named to modify, such as
bc5dde
+slave or DDNS updateable zone files and database / statistics dump files in 
bc5dde
+these directories, named will work normally and no further operator action is
bc5dde
+required. Files in these directories are automatically assigned the 'named_cache_t'
bc5dde
+file context, which SELinux allows named to write.
bc5dde
+.PP
bc5dde
+\fBRed Hat BIND SDB support:\fR
bc5dde
+.PP
bc5dde
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
bc5dde
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
bc5dde
+.PP
bc5dde
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
bc5dde
+.PP
bc5dde
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
bc5dde
+.br
bc5dde
+.PP
bc5dde
 .RE
bc5dde
 .SH "SEE ALSO"
bc5dde
 .PP