Description of problem: The context on /etc/hosts.deny is etc_runtime_t, but it should be etc_t. Compare to /etc/hosts.allow. Applications that use tcp_wrappers but cannot access hosts.deny (because of its context) are allowing access that they shouldn't. Version-Release number of selected component (if applicable): selinux-policy-3.6.7-1.fc11.noarch How reproducible: Always Steps to Reproduce: 1. ls -Z /etc/hosts.[ad]* Actual results: Context is different from /etc/hosts.allow. Expected results: Context is the same as /etc/hosts.allow. Additional info: +++ This bug was initially created as a clone of Bug #487836 +++ Bug 487836 seems to have gotten turned into a denyhosts bug, although I intended it to be a bug for selinux-policy. I've added more details below from one of the comments on Bug 487836. Hopefully it can clarify things a little more. We can let the other report remain a denyhosts report, but please have a look at this one as exclusively an selinux-policy bug and accept my apologies for any confusion arising from any inadequacies in my original description of the other one. (Digging into selinux-policy a bit more...) ... In /etc/selinux/targeted/contexts/files/file_contexts, there is a line: /etc/hosts.deny -- system_u:object_r:etc_runtime_t:s0 ... which shouldn't be there, since: /etc/.* -- system_u:object_r:etc_t:s0 ... (which is and should be there) should cover it correctly. In other words, deleting the offending line from /etc/selinux/targeted/contexts/files/file_contexts which explicitly assigns the wrong context should fix things for this report.
Fixed in selinux-policy-3.6.8-1.fc11