Bug 488677

Summary: Wrong security context set on /etc/hosts.deny
Product: [Fedora] Fedora Reporter: Allen Kistler <ackistler>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dennis, dwalsh, jkubin, j, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 487836 Environment:
Last Closed: 2009-03-05 15:08:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Allen Kistler 2009-03-05 06:46:03 UTC 
Description of problem:
The context on /etc/hosts.deny is etc_runtime_t, but it should be etc_t. Compare to /etc/hosts.allow.  Applications that use tcp_wrappers but cannot access hosts.deny (because of its context) are allowing access that they shouldn't.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.7-1.fc11.noarch

How reproducible:
Always

Steps to Reproduce:
1. ls -Z /etc/hosts.[ad]*
  
Actual results:
Context is different from /etc/hosts.allow.

Expected results:
Context is the same as /etc/hosts.allow.

Additional info:
+++ This bug was initially created as a clone of Bug #487836 +++

Bug 487836 seems to have gotten turned into a denyhosts bug, although I intended it to be a bug for selinux-policy.  I've added more details below from one of the comments on Bug 487836.  Hopefully it can clarify things a little more.  We can let the other report remain a denyhosts report, but please have a look at this one as exclusively an selinux-policy bug and accept my apologies for any confusion arising from any inadequacies in my original description of the other one.

(Digging into selinux-policy a bit more...)
... In /etc/selinux/targeted/contexts/files/file_contexts, there is a line:
/etc/hosts.deny    --   system_u:object_r:etc_runtime_t:s0
... which shouldn't be there, since:
/etc/.*            --   system_u:object_r:etc_t:s0
... (which is and should be there) should cover it correctly.

In other words, deleting the offending line from
/etc/selinux/targeted/contexts/files/file_contexts
which explicitly assigns the wrong context should fix things for this report.
Comment 1 Daniel Walsh 2009-03-05 15:08:34 UTC 
Fixed in selinux-policy-3.6.8-1.fc11