Description of problem:
The context on /etc/hosts.deny is etc_runtime_t, but it should be etc_t. Compare to /etc/hosts.allow.  Applications that use tcp_wrappers but cannot access hosts.deny (because of its context) are allowing access that they shouldn't.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.7-1.fc11.noarch

How reproducible:
Always

Steps to Reproduce:
1. ls -Z /etc/hosts.[ad]*
  
Actual results:
Context is different from /etc/hosts.allow.

Expected results:
Context is the same as /etc/hosts.allow.

Additional info:
+++ This bug was initially created as a clone of Bug #487836 +++

Bug 487836 seems to have gotten turned into a denyhosts bug, although I intended it to be a bug for selinux-policy.  I've added more details below from one of the comments on Bug 487836.  Hopefully it can clarify things a little more.  We can let the other report remain a denyhosts report, but please have a look at this one as exclusively an selinux-policy bug and accept my apologies for any confusion arising from any inadequacies in my original description of the other one.

(Digging into selinux-policy a bit more...)
... In /etc/selinux/targeted/contexts/files/file_contexts, there is a line:
/etc/hosts.deny    --   system_u:object_r:etc_runtime_t:s0
... which shouldn't be there, since:
/etc/.*            --   system_u:object_r:etc_t:s0
... (which is and should be there) should cover it correctly.

In other words, deleting the offending line from
/etc/selinux/targeted/contexts/files/file_contexts
which explicitly assigns the wrong context should fix things for this report.