On Tue, 2005-11-22 at 16:05 -0500, Claude Jones wrote:
On Tuesday 22 November 2005 4:00 pm, Louis Lagendijk wrote:
>
> I am running DenyHosts on my (Centos) server. It does seem to cause some
> problems changing security context on /etc/hosts.deny though. I am not
> sure whether it exhibits the same problem on Fedora, but you better
> monitor it for some time....
>
Could you give a little more detail. What problems regarding what security
contexts? I started this whole thread, and today I just installed denyhosts
as a first step in implementing some of the suggestions. It immediately
picked up some hosts from the logs that tried to break in yesterday, and
added them to denyhosts. I also happen to run a Centos server, so I'm doubly
curious about your issues.
My apologies for the late reply: I had to wait for the problem to
re-appear. The issue appears to be that DenyHost (run as deamon) appear
to change the context for /etc/hosts.deny to:
-rw-r--r-- root root
user_u:object_r:etc_t /etc/hosts
-rw-r--r-- root root
system_u:object_r:etc_t /etc/hosts.allow
-rw-rw-rw- root root
root:object_r:etc_runtime_t /etc/hosts.deny
-rw-rw-rw- root root
root:object_r:etc_t /etc/hosts.deny.purge.bak
I have for now solved that with a local policy of:
allow portmap_t etc_runtime_t:file read;
probably not the best solution, but I am not (yet) versed well enough in
selinux to solve the issue otherwise
--
Claude Jones
Bluemont, VA, USA
--
Louis Lagendijk <louis(a)lagendijk.xs4all.nl>