tightening ssh

Louis Lagendijk louis at lagendijk.xs4all.nl
Sat Nov 26 12:57:39 UTC 2005

On Tue, 2005-11-22 at 16:05 -0500, Claude Jones wrote:
> On Tuesday 22 November 2005 4:00 pm, Louis Lagendijk wrote:
> >
> > I am running DenyHosts on my (Centos) server. It does seem to cause some
> > problems changing security context on /etc/hosts.deny though. I am not
> > sure whether it exhibits the same problem on Fedora, but you better
> > monitor it for some time....
> >
> Could you give a little more detail. What problems regarding what security 
> contexts? I started this whole thread, and today I just installed denyhosts 
> as a first step in implementing some of the suggestions. It immediately 
> picked up some hosts from the logs that tried to break in yesterday, and 
> added them to denyhosts. I also happen to run a Centos server, so I'm doubly 
> curious about your issues. 
My apologies for the late reply: I had to wait for the problem to
re-appear. The issue appears to be that DenyHost (run as deamon) appear
to change the context for /etc/hosts.deny to:

-rw-r--r--  root     root
user_u:object_r:etc_t            /etc/hosts
-rw-r--r--  root     root
system_u:object_r:etc_t          /etc/hosts.allow
-rw-rw-rw-  root     root
root:object_r:etc_runtime_t      /etc/hosts.deny
-rw-rw-rw-  root     root
root:object_r:etc_t              /etc/hosts.deny.purge.bak

I have for now solved that with a local policy of:

 allow portmap_t etc_runtime_t:file read;

probably not the best solution, but I am not (yet) versed well enough in
selinux to solve the issue otherwise

> -- 
> Claude Jones
> Bluemont, VA, USA
Louis Lagendijk <louis at lagendijk.xs4all.nl>

More information about the users mailing list