Selinux and denyhosts

Jason L Tibbitts III tibbs at math.uh.edu
Thu Nov 2 16:03:15 UTC 2006


I maintain the denyhosts package in Fedora Extras.  Recently a user
reported that denyhosts resets the security context on /etc/hosts.deny
which breaks other services.  (The ticket is
https://bugzilla.redhat.com/212771 .)

It isn't completely clear what is happening from the report.
Denyhosts performs two operations on hosts.deny:

1) When adding new hosts, it appends (usually) two lines to the file.
2) When purging old hosts, it creates a new temporary file (currently
   named hosts.deny.purge.tmp, although there's certainly no permanent
   guarantee of this), copies over the lines not being purged, and
   then renames the new file into place.

My understanding is that the first operation won't change the security
context of the file, but the second is quite likely to.

Unfortunately the reporter hasn't provided any information about
whether my last suggestion of running

semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp

or using a pattern helped the situation.  My understanding is that
this should fix the issue, but I am far from a selinux expert.  Might
anyone have additional advice?  Is there any way to future-proof this
in case upstream decides to use a different temporary filename?  Would
it be reasonable to create a full policy for denyhosts?

 - J<




More information about the fedora-selinux-list mailing list