Details
SELinux booleans allow or disallow specific behaviors. There are two boolean variables specific to the ISC BIND DNS server:
named_tcp_bind_http_port – Allow named to tcp bind http port
named_write_master_zones – Allow named to write master zones
The named_tcp_bind_http_port would allow enabling the BIND statistics http channel which is not recommended. The named_write_master_zones allows BIND to update the master files, which is necessary when dynamic updates are performed, or the server is automatically maintaining DNSSEC digital signatures.
Rationale:
Enabling only the necessary named related booleans provides a defense in depth approach, that will deny actions that are not in use or expected.
Solution
Perform the following to implement the recommended state:
Disable the SELinux boolean using the setsebool command as shown below with the -P option to make the change persistent.
# setsebool -P named_tcp_bind_http_port off
Default Value:
The default value for named_tcp_bind_http_port is off.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.