[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Policy for denyhosts
- From: Daniel J Walsh <dwalsh redhat com>
- To: Jason L Tibbitts III <tibbs math uh edu>
- Cc: fedora-selinux-list redhat com
- Subject: Re: Policy for denyhosts
- Date: Wed, 29 Nov 2006 14:51:01 -0500
Jason L Tibbitts III wrote:
"DJW" == Daniel J Walsh <dwalsh redhat com> writes:
DJW> A better solution from the SELinux point of view is to add a new
DJW> directory. and /etc/denyhosts/ and put your configuration files
DJW> there.
I'm not sure what you're referring to. There's only one configuration
file and it's not modified by the program. Surely you can't be saying
that every package that has a configuration file in /etc needs to move
it into a subdirectory.
If /etc/hosts.deny is the problem, well, that's the location of the
file. The denyhosts package doesn't own it.
- J<
Jeff Carlson used a syntax that looked like you could put the hosts.deny
files in a location other than
/etc
---- hosts.allow ----
# Whitelist my LAN
ALL: 192.168.1.0/255.255.255.0
sshd: /etc/hosts.deny.sshd : DENY
sshd: /etc/hosts.allow.us
# hosts.allow.us is a list of IPs in the USA only, since that's
# where I live. No reason to accept SSH from where I don't.
---- hosts.deny ----
ALL:ALL
I was suggesting you could write the tool in such a way that it had those files in a separate location.
One thing we might want to consider, is adding an attribute ETCFILE or some such and changing
files_read_etc_files() to allow reading of these files. This way new tools could define types of files that they want to manage and still allow all of the domains that want to read /etc files succeed. I have a tool right now that wants to manage /etc/fstab.
Dan
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]