tightening ssh
Louis Lagendijk
louis at lagendijk.xs4all.nl
Sat Nov 26 12:57:39 UTC 2005
On Tue, 2005-11-22 at 16:05 -0500, Claude Jones wrote:
> On Tuesday 22 November 2005 4:00 pm, Louis Lagendijk wrote:
> >
> > I am running DenyHosts on my (Centos) server. It does seem to cause some
> > problems changing security context on /etc/hosts.deny though. I am not
> > sure whether it exhibits the same problem on Fedora, but you better
> > monitor it for some time....
> >
>
> Could you give a little more detail. What problems regarding what security
> contexts? I started this whole thread, and today I just installed denyhosts
> as a first step in implementing some of the suggestions. It immediately
> picked up some hosts from the logs that tried to break in yesterday, and
> added them to denyhosts. I also happen to run a Centos server, so I'm doubly
> curious about your issues.
>
My apologies for the late reply: I had to wait for the problem to
re-appear. The issue appears to be that DenyHost (run as deamon) appear
to change the context for /etc/hosts.deny to:
-rw-r--r-- root root
user_u:object_r:etc_t /etc/hosts
-rw-r--r-- root root
system_u:object_r:etc_t /etc/hosts.allow
-rw-rw-rw- root root
root:object_r:etc_runtime_t /etc/hosts.deny
-rw-rw-rw- root root
root:object_r:etc_t /etc/hosts.deny.purge.bak
I have for now solved that with a local policy of:
allow portmap_t etc_runtime_t:file read;
probably not the best solution, but I am not (yet) versed well enough in
selinux to solve the issue otherwise
> --
> Claude Jones
> Bluemont, VA, USA
>
--
Louis Lagendijk <louis at lagendijk.xs4all.nl>
More information about the fedora-list
mailing list