--- bind-9.3.2/bin/named/named.8.redhat_doc	2005-10-12 22:33:46.000000000 -0400
+++ bind-9.3.2/bin/named/named.8	2006-02-07 15:56:31.000000000 -0500
@@ -169,6 +169,75 @@
 .TP
 \fI/var/run/named.pid\fR
 The default process\-id file.
+.PP
+.SH "NOTES"
+.PP
+.TP
+\fBRed Hat SELinux BIND Security Profile:\fR
+.PP
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+.PP
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+.PP
+With this extra security comes some restrictions:
+.PP
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+.PP
+The "named" group must be granted read privelege to 
+these files in order for named to be enabled to read them. 
+.PP
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context named_zone_t .
+.PP
+By default, SELinux prevents any role from modifying named_zone_t files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+.PP
+The Red Hat BIND distribution and SELinux policy creates two directories where
+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and
+$ROOTDIR/var/named/data. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in 
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the 'named_cache_t'
+file context, which SELinux allows named to write.
+.PP
+You can enable the named_t domain to write and create named_zone_t files by use
+of the SELinux tunable boolean variable "named_write_master_zones", using the
+setsebool(8) command or the system-config-security GUI . If you do this, you
+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to 
+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory
+to named:named in order for named to be allowed to write them. 
+.PP
+\fBRed Hat BIND named_sdb SDB support:\fR
+.PP
+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program,
+which is named compiled with the Simplified Database Backend modules that ISC
+provides in the "contrib/sdb" directory.
+.PP
+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb.
+.PP
+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes",
+and then the "service named start" named initscript will run named_sdb instead
+of named .
+.PP
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+.br
+.PP
+\fBRed Hat system-config-bind:\fR
+.PP
+Red Hat provides the system-config-bind GUI to configure named.conf and zone
+database files. Run the "system-config-bind" command and access the manual
+by selecting the Help menu.
+.PP
 .SH "SEE ALSO"
 .PP
 RFC 1033,