On Wed, 2006-11-29 at 12:38 -0600, Jason L Tibbitts III wrote: > >>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: > > DJW> A better solution from the SELinux point of view is to add a new > DJW> directory. and /etc/denyhosts/ and put your configuration files > DJW> there. > > I'm not sure what you're referring to. There's only one configuration > file and it's not modified by the program. Surely you can't be saying > that every package that has a configuration file in /etc needs to move > it into a subdirectory. > > If /etc/hosts.deny is the problem, well, that's the location of the > file. The denyhosts package doesn't own it. Yes, /etc/hosts.deny is the issue. The halfway step is to move it into etc_runtime_t and allow denyhosts to write to that type, thereby only opening up access to the set of files in that type and not all of etc_t. The fine-grained step is to move it into its own private type. Either way may involve some changes to other policy modules for processes that need to access that file, but the former should have smaller impact. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
