Re: Help -- can't SSH into my box

John Aldrich wrote:
On Tuesday 06 January 2009, Stuart Sears wrote:
Not wishing :) to open a massive can of worms (even though this probably
will) but why do you hate it so much?
I installed fail2ban and SELinux immediately threw up massive errors. I coudl understand that much better if it were some 3rd-party app, but something out of the default Fedora repos should be able to run w/o generating complaints from a security system. Fail2ban, especially, should be allowed to run w/o issue, due to the very nature of it.

You have something strange in your setup if it throws lot of errors with fail2ban as I just recently installed it in F10 when I needed alternative to whitelisting just some ip-addresses. And it haven't given any errors. Actually in F10 i haven't had any selinux alerts yet. Of course I don't use it as desktop and there isn't currently users home directories (or part of them) shared trough httpd or samba. But it has just plain worked this far. I was suprised that even cyrus imapd worked out of the box without any problems and it's maybe less used that dovecot. Maybe you tried it with some early policy version which has been updated and now just works.

Anyway what I have worked with selinux on some customer installations it's not very hard to get it configured to work just the way you want if you just take littlebit time to understand it and how the rule system works. Of course I was first littlebit hesitant with it and usually disabled it, but that usually comes with the mindset of being system administrator (All change is for bad :).

Also if there is plain errors with it on basic configurations I think it would be worthwhile to file bugs on them so that they will get fixed.

Of course I didn't try to fix fail2ban to work with anything else than ssh as it's enough for me for now. So it could have problems with httpd or mailclient filtering enabled.


