Policy for denyhosts
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 29 19:51:01 UTC 2006
Jason L Tibbitts III wrote:
>>>>>> "DJW" == Daniel J Walsh <dwalsh at redhat.com> writes:
>>>>>>
>
> DJW> A better solution from the SELinux point of view is to add a new
> DJW> directory. and /etc/denyhosts/ and put your configuration files
> DJW> there.
>
> I'm not sure what you're referring to. There's only one configuration
> file and it's not modified by the program. Surely you can't be saying
> that every package that has a configuration file in /etc needs to move
> it into a subdirectory.
>
> If /etc/hosts.deny is the problem, well, that's the location of the
> file. The denyhosts package doesn't own it.
>
> - J<
>
Jeff Carlson used a syntax that looked like you could put the hosts.deny
files in a location other than
/etc
---- hosts.allow ----
# Whitelist my LAN
ALL: 192.168.1.0/255.255.255.0
sshd: /etc/hosts.deny.sshd : DENY
sshd: /etc/hosts.allow.us
# hosts.allow.us is a list of IPs in the USA only, since that's
# where I live. No reason to accept SSH from where I don't.
---- hosts.deny ----
ALL:ALL
I was suggesting you could write the tool in such a way that it had those files in a separate location.
One thing we might want to consider, is adding an attribute ETCFILE or some such and changing
files_read_etc_files() to allow reading of these files. This way new tools could define types of files that they want to manage and still allow all of the domains that want to read /etc files succeed. I have a tool right now that wants to manage /etc/fstab.
Dan
More information about the fedora-selinux-list
mailing list