After installing blockhosts (with default configuration) every connection
yielded
.... warning: /etc/hosts.allow, line 59: execl /bin/sh: Permission denied
in /var/log/secure. The line number corresponds to
sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \
--verbose \
--echo "%c-%s" --ipblock=iptables \
--whitelist="10\..*,127.0.0.1" \
(etc)
I could run blockhosts.py by hand (as root) and it added entries in the
/etc/hosts.allow file as expected.
The problem turned out to be Selinux. Switching it to permissive mode allows
the invocation in /etc/hosts.allow to begin. The Selinux console indicates the
problem:
-------------------------------------------------------------------------------------------------------------
SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
With additional information:
Source Context: system_u:system_r:iptables_t:s0-s0:c0.c1023
Target Context: system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Objects: socket [ tcp_socket ]
Source: iptablesSource Path: /sbin/iptables
Port:
Host: localhost.localdomainSource RPM Packages: iptables-1.4.1.1-1.fc9
Target RPM Packages:
Policy RPM: selinux-policy-3.3.1-74.fc9
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall
Host Name: localhost.localdomain
Platform: Linux localhost.localdomain 2.6.25.9-76.fc9.x86_64 #1 SMP Fri Jun 27 15:58:30 EDT 2008 x86_64 x86_64
Alert Count: 2
First Seen: Sat 12 Jul 2008 10:50:47 AM EDT
Last Seen: Sat 12 Jul 2008 10:51:59 AM EDT
Local ID: 35baf6ba-e26d-4347-8cd7-e6a2f92da1ec
Line Numbers:
-------------------------------------------------------------------------------------------------------------------
Any advice on either modifying the Selinux policy configuration or changing the way in
which blockhosts is configured would be appreciated!