Since someone asked, here's my little SELinux rant:
Yesterday I set up a new server running F8. It's replacing an old
server and all it does is run sshd and openvpn. I decided to give
SELinux a try after many years of ignoring it.
I copied user home directories, /etc/passwd, /etc/shadow, /etc/group,
and ssh host keys from the old server to the new one. That was easy
I couldn't log into the machine using ssh public key authentication,
though--ssh kept falling back to password authentication. I checked
all the usual suspects like directory permissions, to no avail. I
passed -v -v -v to ssh and got no useful information.
After some poking around I noticed a bunch of messages in
/var/log/messages along the lines of "audit denied sshd btmp" and
"audit denied sshd /home/eswierk/..." blah blah blah. I figured this
was due to SELinux (although heaven knows why the message doesn't
contain the word "selinux"). Spent some time searching Google and came
across fixfiles, so I ran "fixfiles restore /", restarted sshd, and
voila, I could log in with a public key.
Next I copied the openvpn configuration from the old server and tried
to start it up. No joy. Having learned my lesson I headed straight to
/var/log/messages and once again found messages from SELinux, like
"audit denied openvpn ipp.txt". I ran "fixfiles restore /" again, but
this time it didn't help. Back to Google, and dug up some mailing list
messages with all sorts of stuff about updating policies. I spent
about 10 minutes trying various things without really understanding
them before resorting to the solution I do understand: set
SELINUX=disabled in /etc/sysconfig/selinux, reboot, done.
For me learning SELinux seems as pointless as trying to remember
iptables commands, or AFS trivia back when I was a student--all cause
me trouble just infrequently enough to ensure I have to relearn them
from scratch every time. If I were a full-time sysadmin of course it
would be a different story, but I really don't have the brain cycles
to remember anything more complicated than chmod and chown, and I
suspect a large number of accidental sysadmins feel the same.
fedora-devel-list mailing list