Re: Unable to have ~/.pam_environment processed -> having fun with SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

~/.pam_environment is a symbolic link to ~/.dotfiles/pam_environment.

Here the AVC denial message :

Nov 22 08:25:22 phi audit[983]: AVC avc:  denied  { getattr } for
pid=983 comm="login"
path="/home/fnux/.dotfiles/homedir/.pam_environment" dev="dm-7" ino=1428
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0


On 21/11/17 19:44, Rick Stevens wrote:
> On 11/21/2017 10:36 AM, Timothée Floure wrote:
>> Ahah ! The culprit is SELinux !
>>
>> I can easily set SELinux to permissive, but it's not a proper solution.
>> What would be the best fix ? Should I set a specific flag [0] to my
>> ~/.pam_environment or is there a better way to handle this with pam ?
>>
>> [0] I'm not familiar with SELinux
> 
> Can you provide the actual AVC denial message from SELinux regarding
> this? My guess is that if you created the ~/.pam_environment file, the
> SELinux context is incorrect on the file. The AVC message would
> give the answer.
> 
>> On 21/11/17 14:47, Timothée Floure wrote:
>>> I directly login from a tty and don't use a DM : I guess
>>> /etc/pam.d/login is fine ? I will try with debugging enabled.
>>>
>>> Thanks!
>>>
>>> PS: I missed the reply list button the first time, sorry !
>>>
>>> On 21/11/17 14:39, Berend De Schouwer wrote:
>>>> On Tue, 2017-11-21 at 14:15 +0100, Timothée Floure wrote:
>>>>> Hello,
>>>>>
>>>>> I'm trying to set some environment variables via
>>>>> $HOME/.pam_environment
>>>>> on my F27 system. I understand that the feature is disabled by
>>>>> default
>>>>> on Fedora so I tried to add the following line to `/etc/pam.d/login`
>>>>> :
>>>>>
>>>>> ```
>>>>> session       required   pam_env.so user_readenv=1
>>>>> ```
>>>>>
>>>>> However, even with this line, ~/.pam_environment is still ignored. 
>>>>
>>>> /etc/pam.d/login is for /bin/login (vty, telnet, and friends.)  sshd
>>>> will use /etc/pam.d/sshd and gdm should use /etc/pam.d/gdm.
>>>>
>>>> I'd also suggest adding 'debug' to see if the module is being executed
>>>> at all.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>
>>
>>
>> _______________________________________________
>> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux