Bug 488677 - Wrong security context set on /etc/hosts.deny
Wrong security context set on /etc/hosts.deny
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-03-05 01:46 EST by Allen Kistler
Modified: 2009-03-05 10:08 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 487836
Last Closed: 2009-03-05 10:08:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Allen Kistler 2009-03-05 01:46:03 EST
Description of problem:
The context on /etc/hosts.deny is etc_runtime_t, but it should be etc_t. Compare to /etc/hosts.allow.  Applications that use tcp_wrappers but cannot access hosts.deny (because of its context) are allowing access that they shouldn't.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ls -Z /etc/hosts.[ad]*
Actual results:
Context is different from /etc/hosts.allow.

Expected results:
Context is the same as /etc/hosts.allow.

Additional info:
+++ This bug was initially created as a clone of Bug #487836 +++

Bug 487836 seems to have gotten turned into a denyhosts bug, although I intended it to be a bug for selinux-policy.  I've added more details below from one of the comments on Bug 487836.  Hopefully it can clarify things a little more.  We can let the other report remain a denyhosts report, but please have a look at this one as exclusively an selinux-policy bug and accept my apologies for any confusion arising from any inadequacies in my original description of the other one.

(Digging into selinux-policy a bit more...)
... In /etc/selinux/targeted/contexts/files/file_contexts, there is a line:
/etc/hosts.deny    --   system_u:object_r:etc_runtime_t:s0
... which shouldn't be there, since:
/etc/.*            --   system_u:object_r:etc_t:s0
... (which is and should be there) should cover it correctly.

In other words, deleting the offending line from
which explicitly assigns the wrong context should fix things for this report.
Comment 1 Daniel Walsh 2009-03-05 10:08:34 EST
Fixed in selinux-policy-3.6.8-1.fc11

Note You need to log in before you can comment on or make changes to this bug.