Policy for denyhosts
Jason L Tibbitts III
tibbs at math.uh.edu
Tue Nov 28 19:58:58 UTC 2006
I would like to revisit the issue of denyhosts and selinux and address
it properly. From what I gather from the earlier discussion, it would
be best to write a proper policy for denyhosts. Unfortunately, I'm
almost completely ignorant of what needs to happen here.
Here's some essential info about denyhosts:
Denyhosts is written in python. It runs as root either as a daemon or
spawned from cron. It consists of an executable script
(/usr/bin/denyhosts.py), some python modules in
/usr/lib/python2.4/site-packages/DenyHosts, a config file
(/etc/denyhosts.conf), and some databases under /var/lib/denyhosts.
During its operation it reads /var/log/secure, maintains databases and
such under /var/lib/denyhosts, and writes to /etc/hosts.deny. It may
also make some xmlrpc calls out over the 'net if so configured
(although by default this is not the case).
One complication is that denyhosts can call out to user-supplied
scripts which can do pretty much anything. I've no idea how to
properly handle that kind of thing.
Could someone perhaps help me to get started with a policy?
- J<
More information about the fedora-selinux-list
mailing list