Bug 488677 - Wrong security context set on /etc/hosts.deny
Wrong security context set on /etc/hosts.deny
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-05 01:46 EST by Allen Kistler
Modified: 2009-03-05 10:08 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 487836
Environment:
Last Closed: 2009-03-05 10:08:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Allen Kistler 2009-03-05 01:46:03 EST
Description of problem:
The context on /etc/hosts.deny is etc_runtime_t, but it should be etc_t. Compare to /etc/hosts.allow.  Applications that use tcp_wrappers but cannot access hosts.deny (because of its context) are allowing access that they shouldn't.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.7-1.fc11.noarch

How reproducible:
Always

Steps to Reproduce:
1. ls -Z /etc/hosts.[ad]*
  
Actual results:
Context is different from /etc/hosts.allow.

Expected results:
Context is the same as /etc/hosts.allow.

Additional info:
+++ This bug was initially created as a clone of Bug #487836 +++

Bug 487836 seems to have gotten turned into a denyhosts bug, although I intended it to be a bug for selinux-policy.  I've added more details below from one of the comments on Bug 487836.  Hopefully it can clarify things a little more.  We can let the other report remain a denyhosts report, but please have a look at this one as exclusively an selinux-policy bug and accept my apologies for any confusion arising from any inadequacies in my original description of the other one.

(Digging into selinux-policy a bit more...)
... In /etc/selinux/targeted/contexts/files/file_contexts, there is a line:
/etc/hosts.deny    --   system_u:object_r:etc_runtime_t:s0
... which shouldn't be there, since:
/etc/.*            --   system_u:object_r:etc_t:s0
... (which is and should be there) should cover it correctly.

In other words, deleting the offending line from
/etc/selinux/targeted/contexts/files/file_contexts
which explicitly assigns the wrong context should fix things for this report.
Comment 1 Daniel Walsh 2009-03-05 10:08:34 EST
Fixed in selinux-policy-3.6.8-1.fc11

Note You need to log in before you can comment on or make changes to this bug.