|
 |
cf16a9 |
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
|
|
|
cf16a9 |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
cf16a9 |
Date: Wed, 17 Jun 2020 23:17:13 +0200
|
|
|
cf16a9 |
Subject: [PATCH] Update man named with Red Hat specifics
|
|
|
cf16a9 |
|
|
|
cf16a9 |
This is almost unmodified text and requires revalidation. Some of those
|
|
|
cf16a9 |
statements are no longer correct.
|
|
|
cf16a9 |
---
|
|
|
cf16a9 |
bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
|
|
|
cf16a9 |
1 file changed, 35 insertions(+)
|
|
|
cf16a9 |
|
|
|
cf16a9 |
diff --git a/bin/named/named.rst b/bin/named/named.rst
|
|
|
cf16a9 |
index 6fd8f87..3cd6350 100644
|
|
|
cf16a9 |
--- a/bin/named/named.rst
|
|
|
cf16a9 |
+++ b/bin/named/named.rst
|
|
|
cf16a9 |
@@ -228,6 +228,41 @@ Files
|
|
|
cf16a9 |
``/var/run/named/named.pid``
|
|
|
cf16a9 |
The default process-id file.
|
|
|
cf16a9 |
|
|
|
cf16a9 |
+Notes
|
|
|
cf16a9 |
+~~~~~
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+**Red Hat SELinux BIND Security Profile:**
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+By default, Red Hat ships BIND with the most secure SELinux policy
|
|
|
cf16a9 |
+that will not prevent normal BIND operation and will prevent exploitation
|
|
|
cf16a9 |
+of all known BIND security vulnerabilities. See the selinux(8) man page
|
|
|
cf16a9 |
+for information about SElinux.
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+It is not necessary to run named in a chroot environment if the Red Hat
|
|
|
cf16a9 |
+SELinux policy for named is enabled. When enabled, this policy is far
|
|
|
cf16a9 |
+more secure than a chroot environment. Users are recommended to enable
|
|
|
cf16a9 |
+SELinux and remove the bind-chroot package.
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+*With this extra security comes some restrictions:*
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+By default, the SELinux policy does not allow named to write outside directory
|
|
|
cf16a9 |
+/var/named. That directory used to be read-only for named, but write access is
|
|
|
cf16a9 |
+enabled by default now.
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+The "named" group must be granted read privelege to
|
|
|
cf16a9 |
+these files in order for named to be enabled to read them.
|
|
|
cf16a9 |
+Any file updated by named must be writeable by named user or named group.
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+Any file created in the zone database file directory is automatically assigned
|
|
|
cf16a9 |
+the SELinux file context *named_zone_t* .
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
+The Red Hat BIND distribution and SELinux policy creates three directories where
|
|
|
cf16a9 |
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
|
|
|
cf16a9 |
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
|
|
|
cf16a9 |
+permissions. They are used for better organisation of zones and backward compatibility.
|
|
|
cf16a9 |
+Files in these directories are automatically assigned the '*named_cache_t*'
|
|
|
cf16a9 |
+file context, which SELinux always allows named to write.
|
|
|
cf16a9 |
+
|
|
|
cf16a9 |
See Also
|
|
|
cf16a9 |
~~~~~~~~
|
|
|
cf16a9 |
|
|
|
cf16a9 |
--
|
|
|
cf16a9 |
2.26.2
|
|
|
cf16a9 |
|