Another selinux rant

Eric Paris eparis at redhat.com
Thu Jan 3 21:36:57 UTC 2008 

Could you explain how you 'copied' these configuration files?  Is this
tar/untar ?  I'm trying to figure out how the labels for stuff in ~/.ssh
got messed up for you.

as to ipp.txt i don't know what it is so I can't even begin to guess....

-Eric

On Thu, 2008-01-03 at 13:29 -0800, Ed Swierk wrote:
> Since someone asked, here's my little SELinux rant:
> 
> Yesterday I set up a new server running F8. It's replacing an old
> server and all it does is run sshd and openvpn. I decided to give
> SELinux a try after many years of ignoring it.
> 
> I copied user home directories, /etc/passwd, /etc/shadow, /etc/group,
> and ssh host keys from the old server to the new one. That was easy
> enough.
> 
> I couldn't log into the machine using ssh public key authentication,
> though--ssh kept falling back to password authentication. I checked
> all the usual suspects like directory permissions, to no avail. I
> passed -v -v -v to ssh and got no useful information.
> 
> After some poking around I noticed a bunch of messages in
> /var/log/messages along the lines of "audit denied sshd btmp" and
> "audit denied sshd /home/eswierk/..." blah blah blah. I figured this
> was due to SELinux (although heaven knows why the message doesn't
> contain the word "selinux"). Spent some time searching Google and came
> across fixfiles, so I ran "fixfiles restore /", restarted sshd, and
> voila, I could log in with a public key.
> 
> Next I copied the openvpn configuration from the old server and tried
> to start it up. No joy. Having learned my lesson I headed straight to
> /var/log/messages and once again found messages from SELinux, like
> "audit denied openvpn ipp.txt". I ran "fixfiles restore /" again, but
> this time it didn't help. Back to Google, and dug up some mailing list
> messages with all sorts of stuff about updating policies. I spent
> about 10 minutes trying various things without really understanding
> them before resorting to the solution I do understand: set
> SELINUX=disabled in /etc/sysconfig/selinux, reboot, done.
> 
> For me learning SELinux seems as pointless as trying to remember
> iptables commands, or AFS trivia back when I was a student--all cause
> me trouble just infrequently enough to ensure I have to relearn them
> from scratch every time. If I were a full-time sysadmin of course it
> would be a different story, but I really don't have the brain cycles
> to remember anything more complicated than chmod and chown, and I
> suspect a large number of accidental sysadmins feel the same.
> 
> --Ed
>

More information about the devel mailing list