Bug 1663556

Summary: /etc/hosts.allow and /etc/hosts.deny files contain extremely inaccurate information
Product: Red Hat Enterprise Linux 8 Reporter: SHAURYA <sshaurya>
Component: setupAssignee: Pavel Zhukov <pzhukov>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact: Ioanna Gkioka <igkioka>
Priority: medium    
Version: 8.0CC: ajb, djez, fkrska, fweimer, igkioka, jjelen, lmanasko, lnykryn, pasik, pcahyna, ptalbert, pzhukov, rdulhani, riehecky, rmahique, tbowling, thozza, toneata, toracat, troels
Target Milestone: rcKeywords: AutoVerified, ZStream
Target Release: 8.0Flags: igkioka: needinfo-
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: setup-2.12.2-2.el8 Doc Type: Bug Fix
Doc Text:
.The `/etc/hosts.allow` and `/etc/hosts.deny` files no longer contain outdated references to removed `tcp_wrappers` Previously, the `/etc/hosts.allow` and `/etc/hosts.deny` files contained outdated information about the `tcp_wrappers` package. The files are removed in RHEL 8 as they are no longer needed for `tcp_wrappers` which is removed.
 Story Points: ---
Clone Of:
: 1690901 (view as bug list) Environment:
Last Closed: 2020-05-07 15:36:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1681503    
Bug Blocks: 1596070, 1679810, 1690901    

Description SHAURYA 2019-01-04 20:44:18 UTC 
Description of problem:

The files /etc/hosts.allow and /etc/hosts.deny are still installed in RHEL 8, despite the tcp_wrappers package having been removed. These files now contain entirely inaccurate information about man pages and options (references to "man 5 hosts_options" and "man 5 hosts_access" fail on RHEL 8), and the "tcp_wrappers-enabled version of xinetd" no longer exists (the 'xinetd' package is still included, but no longer links to libwrap).

I expect to see correct information in these files, or they should not exist at all. An example of "correct information" in this case might be a reference to a specific systemd man page, or to the RHEL 8 documentation (on the web), with _specific_ information about how to convert hosts.allow rules to e.g. sshd configuration or an systemd configuration for the sshd service.

Version-Release number of selected component (if applicable):

setup-2.12.2-1.el8.noarch

How reproducible:

any RHEL 8 beta install

Steps to Reproduce:

100% of installed RHEL 8 systems (incorrect files included in the package "setup-2.12.2-1.el8.noarch".

What information can you provide around timeframes and the business impact?

We actually use tcp_wrappers extensively on our Linux hosts, as a cheap and simple backup to hardware firewalls and as a local (on-premises) filter for restricted-access hosts.  Reconfiguring 'sshd' on hundreds of hosts with different rule sets will be significant imposition on our time (assuming we can even achieve the same level of functionality at all with the application-layer configuration options).


Additional info:
Comment 14 Oneata Mircea Teodor 2019-03-20 12:44:24 UTC 
This bug has been copied as 8.0.0 z-stream  bug # 1690901 and now must be
resolved in the current update release, set blocker flag.
Comment 19 Martin Osvald 🛹 2019-06-14 06:22:40 UTC 
*** Bug 1683760 has been marked as a duplicate of this bug. ***
Comment 25 Jakub Jelen 2019-07-24 07:07:10 UTC 
The current wording is very vague and does not give quite much any useful information, except for the filenames. And actually it is not even correct since these files were completely removed from RHEL8.

I would be for something along these lines:

> .The `/etc/hosts.allow` and `/etc/hosts.deny` files no longer contain outdated references to removed tcp_wrappers functionality

> Previously, the `/etc/hosts.allow` and `/etc/hosts.deny` files contained outdated information about tcp_wrappers. The files were removed in RHEL 8 as they are no longer needed for removed tcp_wrappers.