diff --git a/.cvsignore b/.cvsignore index 5dedb9f..7284b18 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,3 @@ -bind-chroot.tar.gz -libbind-man.tar.gz bind-9.4.1.tar.gz +bind-chroot.tar.bz2 +libbind-man.tar.gz diff --git a/bind-9.3.1-redhat_doc.patch b/bind-9.3.1-redhat_doc.patch deleted file mode 100644 index 7262906..0000000 --- a/bind-9.3.1-redhat_doc.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- bind-9.3.1/bin/named/named.8.redhat_doc 2004-06-03 01:35:47.000000000 -0400 -+++ bind-9.3.1/bin/named/named.8 2005-05-17 21:22:25.000000000 -0400 -@@ -164,6 +164,75 @@ - .TP - \fB\fI/var/run/named.pid\fB\fR - The default process-id file. -+.PP -+.SH "NOTES" -+.PP -+.TP -+\fBRed Hat SELinux BIND Security Profile:\fR -+.PP -+By default, Red Hat ships BIND with the most secure SELinux policy -+that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page -+for information about SElinux. -+.PP -+It is not necessary to run named in a chroot environment if the Red Hat -+SELinux policy for named is enabled. When enabled, this policy is far -+more secure than a chroot environment. Users are recommended to enable -+SELinux and remove the bind-chroot package. -+.PP -+With this extra security comes some restrictions: -+.PP -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. -+.PP -+The "named" group must be granted read privelege to -+these files in order for named to be enabled to read them. -+.PP -+Any file created in the zone database file directory is automatically assigned -+the SELinux file context named_zone_t . -+.PP -+By default, SELinux prevents any role from modifying named_zone_t files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+.PP -+The Red Hat BIND distribution and SELinux policy creates two directories where -+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and -+$ROOTDIR/var/named/data. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the 'named_cache_t' -+file context, which SELinux allows named to write. -+.PP -+You can enable the named_t domain to write and create named_zone_t files by use -+of the SELinux tunable boolean variable "named_write_master_zones", using the -+setsebool(8) command or the system-config-security GUI . If you do this, you -+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to -+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory -+to named:named in order for named to be allowed to write them. -+.PP -+\fBRed Hat BIND named_sdb SDB support:\fR -+.PP -+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program, -+which is named compiled with the Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. -+.PP -+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb. -+.PP -+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes", -+and then the "service named start" named initscript will run named_sdb instead -+of named . -+.PP -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . -+.br -+.PP -+\fBRed Hat system-config-bind:\fR -+.PP -+Red Hat provides the system-config-bind GUI to configure named.conf and zone -+database files. Run the "system-config-bind" command and access the manual -+by selecting the Help menu. -+.PP - .SH "SEE ALSO" - .PP - \fIRFC 1033\fR, diff --git a/bind-9.3.2-redhat_doc.patch b/bind-9.3.2-redhat_doc.patch index 1d1a87a..eb79159 100644 --- a/bind-9.3.2-redhat_doc.patch +++ b/bind-9.3.2-redhat_doc.patch @@ -1,6 +1,6 @@ --- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100 +++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100 -@@ -205,6 +205,75 @@ +@@ -205,6 +205,68 @@ \fI/var/run/named.pid\fR .RS 4 The default process\-id file. @@ -37,21 +37,14 @@ +means that files in the zone database directory cannot be modified by dynamic +DNS (DDNS) updates or zone transfers. +.PP -+The Red Hat BIND distribution and SELinux policy creates two directories where -+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and -+$ROOTDIR/var/named/data. By placing files you want named to modify, such as ++The Red Hat BIND distribution and SELinux policy creates three directories where ++named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic ++/var/named/data. By placing files you want named to modify, such as +slave or DDNS updateable zone files and database / statistics dump files in +these directories, named will work normally and no further operator action is +required. Files in these directories are automatically assigned the 'named_cache_t' +file context, which SELinux allows named to write. +.PP -+You can enable the named_t domain to write and create named_zone_t files by use -+of the SELinux tunable boolean variable "named_write_master_zones", using the -+setsebool(8) command or the system-config-security GUI . If you do this, you -+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to -+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory -+to named:named in order for named to be allowed to write them. -+.PP +\fBRed Hat BIND named_sdb SDB support:\fR +.PP +Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program, diff --git a/bind-9.4.0-idnkit-autotools.patch b/bind-9.4.0-idnkit-autotools.patch index 9a2753c..a434e5c 100644 --- a/bind-9.4.0-idnkit-autotools.patch +++ b/bind-9.4.0-idnkit-autotools.patch @@ -24,7 +24,7 @@ +if RUNIDN +bin_SCRIPTS = +man1_MANS = -+lib_LTLIBRARIES = libidnkitres.la ++noinst_LTLIBRARIES = libidnkitres.la + +libidnkitres_la_SOURCES = \ + resolver.lo stub.lo @@ -91,9 +91,9 @@ --- idnkit-1.0-src/lib/Makefile.am.autotools 2007-04-16 13:39:47.000000000 +0200 +++ idnkit-1.0-src/lib/Makefile.am 2007-04-16 13:11:02.000000000 +0200 @@ -0,0 +1,85 @@ -+lib_LTLIBRARIES = libidnkitlite.la ++noinst_LTLIBRARIES = libidnkitlite.la +if ! LITEONLY -+lib_LTLIBRARIES += libidnkit.la ++noinst_LTLIBRARIES += libidnkit.la +endif + +AM_CPPFLAGS = \ diff --git a/bind-chroot-admin.in b/bind-chroot-admin.in index 4ba7bc6..e11d7e6 100644 --- a/bind-chroot-admin.in +++ b/bind-chroot-admin.in @@ -78,18 +78,18 @@ function check_dirs() /bin/chown root:named /etc/sysconfig/named; /bin/chmod 0640 /etc/sysconfig/named; fi - /bin/mkdir -p ${BIND_DIR}/{slaves,data}; + /bin/mkdir -p ${BIND_DIR}/{slaves,data,dynamic}; /bin/chown --preserve-root root:named ${BIND_DIR}; - /bin/chown --preserve-root named:named ${BIND_DIR}/{slaves,data}; + /bin/chown --preserve-root named:named ${BIND_DIR}/{slaves,data,dynamic}; /bin/chmod --preserve-root 750 ${BIND_DIR} - /bin/chmod --preserve-root 770 ${BIND_DIR}/{slaves,data}; + /bin/chmod --preserve-root 770 ${BIND_DIR}/{slaves,data,dynamic}; - mkdir -p ${BIND_CHROOT_PREFIX}/{etc,dev,var/{run/named,named/{slaves,data}}}; + mkdir -p ${BIND_CHROOT_PREFIX}/{etc,dev,var/{run/named,named/{slaves,data,dynamic}}}; /bin/chown --preserve-root root:named ${BIND_CHROOT_PREFIX}/{etc,dev,var/{run,named/}}; /bin/chown --preserve-root root:named ${BIND_CHROOT_PREFIX}/var; /bin/chmod --preserve-root 750 ${BIND_CHROOT_PREFIX}/{,etc,dev,var,var/{run,named/}}; - /bin/chown --preserve-root named:named ${BIND_CHROOT_PREFIX}/var/{run/named,named/{data,slaves}}; - /bin/chmod --preserve-root 770 ${BIND_CHROOT_PREFIX}/var/{run/named,named/{slaves,data}}; + /bin/chown --preserve-root named:named ${BIND_CHROOT_PREFIX}/var/{run/named,named/{data,slaves,dynamic}}; + /bin/chmod --preserve-root 770 ${BIND_CHROOT_PREFIX}/var/{run/named,named/{slaves,data,dynamic}}; [ ! -e "${BIND_CHROOT_PREFIX}/dev/random" ] && /bin/mknod "${BIND_CHROOT_PREFIX}/dev/random" c 1 8 [ ! -e "${BIND_CHROOT_PREFIX}/dev/zero" ] && /bin/mknod "${BIND_CHROOT_PREFIX}/dev/zero" c 1 5 @@ -238,7 +238,7 @@ function sync_files() changed=`/bin/mktemp /tmp/XXXXXX`; rm -f $changed if [ $ENABLED -eq 0 ] ; then # chroot is enabled - /usr/bin/find /{etc/{named.*,rndc.*},${BIND_DIR#/}{/*,/data/*,/slaves/*}} -maxdepth 0 -type f | + /usr/bin/find /{etc/{named.*,rndc.*},${BIND_DIR#/}{/*,/data/*,/slaves/*,/dynamic/*}} -maxdepth 0 -type f | while read f; do replace_with_link ${BIND_CHROOT_PREFIX}/$f $f; @@ -251,7 +251,7 @@ function sync_files() done pfx=${BIND_CHROOT_PREFIX} else # chroot is disabled - /usr/bin/find /var/named/chroot/{etc/{named.*,rndc.*},var/named{/*,/data/*,/slaves/*}} -maxdepth 0 | + /usr/bin/find /var/named/chroot/{etc/{named.*,rndc.*},var/named{/*,/data/*,/slaves/*,/dynamic/*}} -maxdepth 0 | while read f; do if [ ! -d "$f" ]; then @@ -280,11 +280,11 @@ function sync_files() chmod 750 ${pfx}/var/named >/dev/null 2>&1; chmod 640 ${pfx}/var/named/* >/dev/null 2>&1; chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1; - chown -h named:named /var/named/{data{,/*},slaves{,*/}} >/dev/null 2>&1; - chown -h named:named ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,*/}} >/dev/null 2>&1; - chmod 770 ${pfx}/var/named/{data,slaves} >/dev/null 2>&1; - chmod 660 ${pfx}/var/named/{data/*,slaves/*} >/dev/null 2>&1; - chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.} >/dev/null 2>&1; + chown -h named:named /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1; + chown -h named:named ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null 2>&1; + chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null 2>&1; + chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*} >/dev/null 2>&1; + chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.} >/dev/null 2>&1; if [ -e $changed ]; then if selinux_enabled && [ -x /sbin/restorecon ]; then /sbin/restorecon -R ${BIND_CHROOT_PREFIX}/etc ${BIND_CHROOT_PREFIX}/var/named ${BIND_CHROOT_PREFIX}/var/run/named >/dev/null 2>&1; @@ -295,7 +295,7 @@ function sync_files() /sbin/restorecon /etc/rndc.key >/dev/null 2>&1; /sbin/restorecon /etc/rndc.conf >/dev/null 2>&1; /sbin/restorecon /var/named{/,/*} >/dev/null 2>&1; - /sbin/restorecon /var/named/{slaves,data}{/,/*} >/dev/null 2>&1; + /sbin/restorecon /var/named/{slaves,data,dynamic}{/,/*} >/dev/null 2>&1; /sbin/restorecon /var/named/named.ca ${BIND_CHROOT_PREFIX}/var/named/named.ca >/dev/null 2>&1; /sbin/restorecon ${BIND_CHROOT_PREFIX} >/dev/null 2>&1; /sbin/restorecon /var/named/named.ca >/dev/null 2>&1; @@ -320,6 +320,7 @@ function clean_root() rmdir ${BIND_CHROOT_PREFIX}/var/run >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/named/slaves >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/named/data >/dev/null 2>&1 || :; + rmdir ${BIND_CHROOT_PREFIX}/var/named/dynamic >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/named >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var/tmp >/dev/null 2>&1 || :; rmdir ${BIND_CHROOT_PREFIX}/var >/dev/null 2>&1 || :; diff --git a/bind.spec b/bind.spec index 3e000bb..6f43e90 100644 --- a/bind.spec +++ b/bind.spec @@ -28,7 +28,7 @@ Source2: named.init Source3: named.logrotate Source4: keygen.c Source5: rfc1912.txt -Source6: bind-chroot.tar.gz +Source6: bind-chroot.tar.bz2 Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: http://www.venaas.no/ldap/bind-sdb/dnszone.schema Source9: libbind-man.tar.gz @@ -359,11 +359,12 @@ mkdir -p ${RPM_BUILD_ROOT}/usr/{bin,lib,sbin,include} mkdir -p ${RPM_BUILD_ROOT}/var/named mkdir -p ${RPM_BUILD_ROOT}/var/named/slaves mkdir -p ${RPM_BUILD_ROOT}/var/named/data +mkdir -p ${RPM_BUILD_ROOT}/var/named/dynamic mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} mkdir -p ${RPM_BUILD_ROOT}/var/run/named #chroot mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix} -tar --no-same-owner -zxvf %{SOURCE6} --directory ${RPM_BUILD_ROOT}/%{chroot_prefix} +tar --no-same-owner -jxvf %{SOURCE6} --directory ${RPM_BUILD_ROOT}/%{chroot_prefix} # these are required to prevent them being erased during upgrade of previous # versions that included them (bug #130121): touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf @@ -611,6 +612,7 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0660,named,named,0770) %dir /var/named/slaves %dir /var/named/data +%dir /var/named/dynamic %dir /var/run/named %defattr(0754,root,root,0750) %config /etc/rc.d/init.d/named @@ -743,6 +745,7 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0660,named,named,0770) %dir %prefix/var/named/slaves %dir %prefix/var/named/data +%dir %prefix/var/named/dynamic %dir %prefix/var/run/named %dir %prefix/var/tmp %ghost %prefix/dev/null @@ -769,10 +772,12 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog -* Tue Jun 04 2007 Adam Tkac 31:9.4.1-4.2.fc8 +* Tue Jun 04 2007 Adam Tkac 31:9.4.1-5.fc8 - very minor compatibility change in bind-chroot-admin (line 215) - enabled IDN support by default and don't distribute IDN libraries - specfile cleanup +- add dynamic directory to /var/named. This directory will be primarily used for + dynamic DNS zones. ENABLE_ZONE_WRITE and SELinux's named_write_master_zones no longer exist * Wed May 24 2007 Adam Tkac 31:9.4.1-4.fc8 - removed ldap-api patch and start using deprecated API diff --git a/named.init b/named.init index f801da8..06c0561 100755 --- a/named.init +++ b/named.init @@ -121,35 +121,7 @@ start() { fi; fi; fi - no_write_master_zones=0 - if [ -e /etc/selinux/config ]; then - . /etc/selinux/config - if [[ ( "$SELINUX" != 'disabled') && ("$SELINUXTYPE" != "") && (-d /etc/selinux/${SELINUXTYPE}) && (-e /etc/selinux/${SELINUXTYPE}/booleans || (-e /etc/selinux/${SELINUXTYPE}/booleans.local)) ]]; then - if [ -e /etc/selinux/${SELINUXTYPE}/booleans.local ]; then - . /etc/selinux/${SELINUXTYPE}/booleans.local; - else - . /etc/selinux/${SELINUXTYPE}/booleans; - fi; - if echo "$named_write_master_zones" | /bin/egrep -q '^[0-9]+$'; then - if [ "$named_write_master_zones" -eq 1 ] ; then - /bin/chown -f --from=root:named named:named $ROOTDIR/var/named - elif [ "$named_write_master_zones" -eq 0 ] ; then - /bin/chown -f --from=named:named root:named $ROOTDIR/var/named - fi; - fi; - else - no_write_master_zones=1 - fi; - else - no_write_master_zones=1 - fi; - if [ "$no_write_master_zones" -eq 1 ]; then - if [[ "$ENABLE_ZONE_WRITE" = [yY1]* ]]; then - /bin/chown -f --from=root:named named:named $ROOTDIR/var/named - elif [[ "$ENABLE_ZONE_WRITE" = [nN0]* ]]; then - /bin/chown -f --from=named:named root:named $ROOTDIR/var/named - fi; - fi + conf_ok=0; if [ -x /usr/sbin/named-checkconf ] && [ -x /usr/sbin/named-checkzone ] && /usr/sbin/named-checkconf $ckcf_options ${named_conf} >/dev/null 2>&1; then conf_ok=1; diff --git a/named.sysconfig b/named.sysconfig index 395c956..e331aa5 100644 --- a/named.sysconfig +++ b/named.sysconfig @@ -10,14 +10,6 @@ # OPTIONS="whatever" -- These additional options will be passed to named # at startup. Don't add -t here, use ROOTDIR instead. # -# ENABLE_ZONE_WRITE=yes -- If SELinux is disabled, then allow named to write -# its zone files and create files in its $ROOTDIR/var/named -# directory, necessary for DDNS and slave zone transfers. -# Slave zones should reside in the $ROOTDIR/var/named/slaves -# directory, in which case you would not need to enable zone -# writes. If SELinux is enabled, you must use only the -# 'named_write_master_zones' variable to enable zone writes. -# # ENABLE_SDB=yes -- This enables use of 'named_sdb', which has support # -- for the ldap, pgsql and dir zone database backends # -- compiled in, to be used instead of named. diff --git a/sources b/sources index 8c15998..e99e8fd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -3567c35a24cb83a8a69443a399bbb6c8 bind-chroot.tar.gz -13fef79f99fcefebb51d84b08805de51 libbind-man.tar.gz 09b54d35036cb0423b2e618f21766285 bind-9.4.1.tar.gz +dd2b4f4b795a0a989b0a01f93db3a57b bind-chroot.tar.bz2 +13fef79f99fcefebb51d84b08805de51 libbind-man.tar.gz