Since someone asked, here's my little SELinux rant: Yesterday I set up a new server running F8. It's replacing an old server and all it does is run sshd and openvpn. I decided to give SELinux a try after many years of ignoring it. I copied user home directories, /etc/passwd, /etc/shadow, /etc/group, and ssh host keys from the old server to the new one. That was easy enough. I couldn't log into the machine using ssh public key authentication, though--ssh kept falling back to password authentication. I checked all the usual suspects like directory permissions, to no avail. I passed -v -v -v to ssh and got no useful information. After some poking around I noticed a bunch of messages in /var/log/messages along the lines of "audit denied sshd btmp" and "audit denied sshd /home/eswierk/..." blah blah blah. I figured this was due to SELinux (although heaven knows why the message doesn't contain the word "selinux"). Spent some time searching Google and came across fixfiles, so I ran "fixfiles restore /", restarted sshd, and voila, I could log in with a public key. Next I copied the openvpn configuration from the old server and tried to start it up. No joy. Having learned my lesson I headed straight to /var/log/messages and once again found messages from SELinux, like "audit denied openvpn ipp.txt". I ran "fixfiles restore /" again, but this time it didn't help. Back to Google, and dug up some mailing list messages with all sorts of stuff about updating policies. I spent about 10 minutes trying various things without really understanding them before resorting to the solution I do understand: set SELINUX=disabled in /etc/sysconfig/selinux, reboot, done. For me learning SELinux seems as pointless as trying to remember iptables commands, or AFS trivia back when I was a student--all cause me trouble just infrequently enough to ensure I have to relearn them from scratch every time. If I were a full-time sysadmin of course it would be a different story, but I really don't have the brain cycles to remember anything more complicated than chmod and chown, and I suspect a large number of accidental sysadmins feel the same. --Ed -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
