Selinux and denyhosts
Jason L Tibbitts III
tibbs at math.uh.edu
Thu Nov 2 16:03:15 UTC 2006
I maintain the denyhosts package in Fedora Extras. Recently a user
reported that denyhosts resets the security context on /etc/hosts.deny
which breaks other services. (The ticket is
https://bugzilla.redhat.com/212771 .)
It isn't completely clear what is happening from the report.
Denyhosts performs two operations on hosts.deny:
1) When adding new hosts, it appends (usually) two lines to the file.
2) When purging old hosts, it creates a new temporary file (currently
named hosts.deny.purge.tmp, although there's certainly no permanent
guarantee of this), copies over the lines not being purged, and
then renames the new file into place.
My understanding is that the first operation won't change the security
context of the file, but the second is quite likely to.
Unfortunately the reporter hasn't provided any information about
whether my last suggestion of running
semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp
or using a pattern helped the situation. My understanding is that
this should fix the issue, but I am far from a selinux expert. Might
anyone have additional advice? Is there any way to future-proof this
in case upstream decides to use a different temporary filename? Would
it be reasonable to create a full policy for denyhosts?
- J<
More information about the fedora-selinux-list
mailing list