FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-03-2008, 08:29 PM
"Ed Swierk"
 
Default Another selinux rant

Since someone asked, here's my little SELinux rant:

Yesterday I set up a new server running F8. It's replacing an old
server and all it does is run sshd and openvpn. I decided to give
SELinux a try after many years of ignoring it.

I copied user home directories, /etc/passwd, /etc/shadow, /etc/group,
and ssh host keys from the old server to the new one. That was easy
enough.

I couldn't log into the machine using ssh public key authentication,
though--ssh kept falling back to password authentication. I checked
all the usual suspects like directory permissions, to no avail. I
passed -v -v -v to ssh and got no useful information.

After some poking around I noticed a bunch of messages in
/var/log/messages along the lines of "audit denied sshd btmp" and
"audit denied sshd /home/eswierk/..." blah blah blah. I figured this
was due to SELinux (although heaven knows why the message doesn't
contain the word "selinux"). Spent some time searching Google and came
across fixfiles, so I ran "fixfiles restore /", restarted sshd, and
voila, I could log in with a public key.

Next I copied the openvpn configuration from the old server and tried
to start it up. No joy. Having learned my lesson I headed straight to
/var/log/messages and once again found messages from SELinux, like
"audit denied openvpn ipp.txt". I ran "fixfiles restore /" again, but
this time it didn't help. Back to Google, and dug up some mailing list
messages with all sorts of stuff about updating policies. I spent
about 10 minutes trying various things without really understanding
them before resorting to the solution I do understand: set
SELINUX=disabled in /etc/sysconfig/selinux, reboot, done.

For me learning SELinux seems as pointless as trying to remember
iptables commands, or AFS trivia back when I was a student--all cause
me trouble just infrequently enough to ensure I have to relearn them
from scratch every time. If I were a full-time sysadmin of course it
would be a different story, but I really don't have the brain cycles
to remember anything more complicated than chmod and chown, and I
suspect a large number of accidental sysadmins feel the same.

--Ed

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 05:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org