I maintain the denyhosts package in Fedora Extras. Recently a user reported that denyhosts resets the security context on /etc/hosts.deny which breaks other services. (The ticket is https://bugzilla.redhat.com/212771 .) It isn't completely clear what is happening from the report. Denyhosts performs two operations on hosts.deny: 1) When adding new hosts, it appends (usually) two lines to the file. 2) When purging old hosts, it creates a new temporary file (currently named hosts.deny.purge.tmp, although there's certainly no permanent guarantee of this), copies over the lines not being purged, and then renames the new file into place. My understanding is that the first operation won't change the security context of the file, but the second is quite likely to. Unfortunately the reporter hasn't provided any information about whether my last suggestion of running semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp or using a pattern helped the situation. My understanding is that this should fix the issue, but I am far from a selinux expert. Might anyone have additional advice? Is there any way to future-proof this in case upstream decides to use a different temporary filename? Would it be reasonable to create a full policy for denyhosts? - J< -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
