Jason L Tibbitts III wrote:
>>>>> "DJW" == Daniel J Walsh
<dwalsh(a)redhat.com> writes:
>>>>>
DJW> A better solution from the SELinux point of view is to add a new
DJW> directory. and /etc/denyhosts/ and put your configuration files
DJW> there.
I'm not sure what you're referring to. There's only one configuration
file and it's not modified by the program. Surely you can't be saying
that every package that has a configuration file in /etc needs to move
it into a subdirectory.
If /etc/hosts.deny is the problem, well, that's the location of the
file. The denyhosts package doesn't own it.
- J<
Jeff Carlson used a syntax that looked like you could put the hosts.deny
files in a location other than
/etc
---- hosts.allow ----
# Whitelist my LAN
ALL: 192.168.1.0/255.255.255.0
sshd: /etc/hosts.deny.sshd : DENY
sshd: /etc/hosts.allow.us
# hosts.allow.us is a list of IPs in the USA only, since that's
# where I live. No reason to accept SSH from where I don't.
---- hosts.deny ----
ALL:ALL
I was suggesting you could write the tool in such a way that it had those files in a
separate location.
One thing we might want to consider, is adding an attribute ETCFILE or some such and
changing
files_read_etc_files() to allow reading of these files. This way new tools could define
types of files that they want to manage and still allow all of the domains that want to
read /etc files succeed. I have a tool right now that wants to manage /etc/fstab.
Dan