Policy for denyhosts
Stephen Smalley
sds at tycho.nsa.gov
Wed Nov 29 18:57:15 UTC 2006
On Wed, 2006-11-29 at 12:38 -0600, Jason L Tibbitts III wrote:
> >>>>> "DJW" == Daniel J Walsh <dwalsh at redhat.com> writes:
>
> DJW> A better solution from the SELinux point of view is to add a new
> DJW> directory. and /etc/denyhosts/ and put your configuration files
> DJW> there.
>
> I'm not sure what you're referring to. There's only one configuration
> file and it's not modified by the program. Surely you can't be saying
> that every package that has a configuration file in /etc needs to move
> it into a subdirectory.
>
> If /etc/hosts.deny is the problem, well, that's the location of the
> file. The denyhosts package doesn't own it.
Yes, /etc/hosts.deny is the issue. The halfway step is to move it into
etc_runtime_t and allow denyhosts to write to that type, thereby only
opening up access to the set of files in that type and not all of etc_t.
The fine-grained step is to move it into its own private type. Either
way may involve some changes to other policy modules for processes that
need to access that file, but the former should have smaller impact.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list