Hello,
I'm trying to set some environment variables via $HOME/.pam_environment on my F27 system. I understand that the feature is disabled by default on Fedora so I tried to add the following line to `/etc/pam.d/login` :
``` session required pam_env.so user_readenv=1 ```
However, even with this line, ~/.pam_environment is still ignored. Any idea ?
Thanks!
-- Timothée Floure
On Tue, 2017-11-21 at 14:15 +0100, Timothée Floure wrote:
Hello,
I'm trying to set some environment variables via $HOME/.pam_environment on my F27 system. I understand that the feature is disabled by default on Fedora so I tried to add the following line to `/etc/pam.d/login` :
session required pam_env.so user_readenv=1However, even with this line, ~/.pam_environment is still ignored.
/etc/pam.d/login is for /bin/login (vty, telnet, and friends.) sshd will use /etc/pam.d/sshd and gdm should use /etc/pam.d/gdm.
I'd also suggest adding 'debug' to see if the module is being executed at all.
I directly login from a tty and don't use a DM : I guess /etc/pam.d/login is fine ? I will try with debugging enabled.
Thanks!
PS: I missed the reply list button the first time, sorry !
On 21/11/17 14:39, Berend De Schouwer wrote:
On Tue, 2017-11-21 at 14:15 +0100, Timothée Floure wrote:
Hello,
I'm trying to set some environment variables via $HOME/.pam_environment on my F27 system. I understand that the feature is disabled by default on Fedora so I tried to add the following line to `/etc/pam.d/login` :
session required pam_env.so user_readenv=1However, even with this line, ~/.pam_environment is still ignored.
/etc/pam.d/login is for /bin/login (vty, telnet, and friends.) sshd will use /etc/pam.d/sshd and gdm should use /etc/pam.d/gdm.
I'd also suggest adding 'debug' to see if the module is being executed at all.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
Ahah ! The culprit is SELinux !
I can easily set SELinux to permissive, but it's not a proper solution. What would be the best fix ? Should I set a specific flag [0] to my ~/.pam_environment or is there a better way to handle this with pam ?
[0] I'm not familiar with SELinux
On 21/11/17 14:47, Timothée Floure wrote:
I directly login from a tty and don't use a DM : I guess /etc/pam.d/login is fine ? I will try with debugging enabled.
Thanks!
PS: I missed the reply list button the first time, sorry !
On 21/11/17 14:39, Berend De Schouwer wrote:
On Tue, 2017-11-21 at 14:15 +0100, Timothée Floure wrote:
Hello,
I'm trying to set some environment variables via $HOME/.pam_environment on my F27 system. I understand that the feature is disabled by default on Fedora so I tried to add the following line to `/etc/pam.d/login` :
session required pam_env.so user_readenv=1However, even with this line, ~/.pam_environment is still ignored.
/etc/pam.d/login is for /bin/login (vty, telnet, and friends.) sshd will use /etc/pam.d/sshd and gdm should use /etc/pam.d/gdm.
I'd also suggest adding 'debug' to see if the module is being executed at all.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 11/21/2017 10:36 AM, Timothée Floure wrote:
Ahah ! The culprit is SELinux !
I can easily set SELinux to permissive, but it's not a proper solution. What would be the best fix ? Should I set a specific flag [0] to my ~/.pam_environment or is there a better way to handle this with pam ?
[0] I'm not familiar with SELinux
Can you provide the actual AVC denial message from SELinux regarding this? My guess is that if you created the ~/.pam_environment file, the SELinux context is incorrect on the file. The AVC message would give the answer.
On 21/11/17 14:47, Timothée Floure wrote:
I directly login from a tty and don't use a DM : I guess /etc/pam.d/login is fine ? I will try with debugging enabled.
Thanks!
PS: I missed the reply list button the first time, sorry !
On 21/11/17 14:39, Berend De Schouwer wrote:
On Tue, 2017-11-21 at 14:15 +0100, Timothée Floure wrote:
Hello,
I'm trying to set some environment variables via $HOME/.pam_environment on my F27 system. I understand that the feature is disabled by default on Fedora so I tried to add the following line to `/etc/pam.d/login` :
session required pam_env.so user_readenv=1However, even with this line, ~/.pam_environment is still ignored.
/etc/pam.d/login is for /bin/login (vty, telnet, and friends.) sshd will use /etc/pam.d/sshd and gdm should use /etc/pam.d/gdm.
I'd also suggest adding 'debug' to see if the module is being executed at all.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
~/.pam_environment is a symbolic link to ~/.dotfiles/pam_environment.
Here the AVC denial message :
Nov 22 08:25:22 phi audit[983]: AVC avc: denied { getattr } for pid=983 comm="login" path="/home/fnux/.dotfiles/homedir/.pam_environment" dev="dm-7" ino=1428 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
On 21/11/17 19:44, Rick Stevens wrote:
On 11/21/2017 10:36 AM, Timothée Floure wrote:
Ahah ! The culprit is SELinux !
I can easily set SELinux to permissive, but it's not a proper solution. What would be the best fix ? Should I set a specific flag [0] to my ~/.pam_environment or is there a better way to handle this with pam ?
[0] I'm not familiar with SELinux
Can you provide the actual AVC denial message from SELinux regarding this? My guess is that if you created the ~/.pam_environment file, the SELinux context is incorrect on the file. The AVC message would give the answer.
On 21/11/17 14:47, Timothée Floure wrote:
I directly login from a tty and don't use a DM : I guess /etc/pam.d/login is fine ? I will try with debugging enabled.
Thanks!
PS: I missed the reply list button the first time, sorry !
On 21/11/17 14:39, Berend De Schouwer wrote:
On Tue, 2017-11-21 at 14:15 +0100, Timothée Floure wrote:
Hello,
I'm trying to set some environment variables via $HOME/.pam_environment on my F27 system. I understand that the feature is disabled by default on Fedora so I tried to add the following line to `/etc/pam.d/login` :
session required pam_env.so user_readenv=1However, even with this line, ~/.pam_environment is still ignored.
/etc/pam.d/login is for /bin/login (vty, telnet, and friends.) sshd will use /etc/pam.d/sshd and gdm should use /etc/pam.d/gdm.
I'd also suggest adding 'debug' to see if the module is being executed at all.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 11/21/2017 11:30 PM, Timothée Floure wrote:
~/.pam_environment is a symbolic link to ~/.dotfiles/pam_environment.
Symlinks aren't processed according to their target, so they tend to be problematic with SELinux. Consider using a hard link instead.
-
Berend De Schouwer -
Gordon Messmer -
Rick Stevens -
Timothée Floure