Red Hat Bugzilla – Bug 488677
Wrong security context set on /etc/hosts.deny
Last modified: 2009-03-05 10:08:34 EST
Description of problem:
The context on /etc/hosts.deny is etc_runtime_t, but it should be etc_t. Compare to /etc/hosts.allow. Applications that use tcp_wrappers but cannot access hosts.deny (because of its context) are allowing access that they shouldn't.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ls -Z /etc/hosts.[ad]*
Context is different from /etc/hosts.allow.
Context is the same as /etc/hosts.allow.
+++ This bug was initially created as a clone of Bug #487836 +++
Bug 487836 seems to have gotten turned into a denyhosts bug, although I intended it to be a bug for selinux-policy. I've added more details below from one of the comments on Bug 487836. Hopefully it can clarify things a little more. We can let the other report remain a denyhosts report, but please have a look at this one as exclusively an selinux-policy bug and accept my apologies for any confusion arising from any inadequacies in my original description of the other one.
(Digging into selinux-policy a bit more...)
... In /etc/selinux/targeted/contexts/files/file_contexts, there is a line:
/etc/hosts.deny -- system_u:object_r:etc_runtime_t:s0
... which shouldn't be there, since:
/etc/.* -- system_u:object_r:etc_t:s0
... (which is and should be there) should cover it correctly.
In other words, deleting the offending line from
which explicitly assigns the wrong context should fix things for this report.
Fixed in selinux-policy-3.6.8-1.fc11