I just installed Fedora 22 on my VPS and tried to make trivial thing — run my informer script on every ssh login via pam_exec.
But I was confronted with unexpected difficulties: pam_exec failed with exit code 13.
I added habitual line to the end of /etc/pam.d/sshd:
session optional pam_exec.so seteuid /usr/local/bin/loginformer.py
Of course loginformer.py has execution flags:
$ ls -l /usr/local/bin/loginformer.py
-rwxr-xr-x. 1 root root 4254 Jun 8 09:35 /usr/local/bin/loginformer.py
But here is painful extract from journalctl -lb SYSLOG_FACILITY=10
:
Jun 08 11:58:49 fedora22 sshd[671]: pam_exec(sshd:session): execve(/usr/local/bin/loginformer.py,...) failed: Permission denied
Jun 08 11:58:49 fedora22 sshd[663]: pam_exec(sshd:session): /usr/local/bin/loginformer.py failed: exit code 13
I'm not sure what's happening, because it always work on my ArchLinux.
I think it may be some SELinux resctriction, but I'm not sure.
What I'm doing wrong?
UPDATE
Well, I tried to go deeply to SELinux and understood I should change SELinux context of my script.
Now SELinux context of it looks so:
$ ls -Z /usr/local/bin/loginformer.py
unconfined_u:object_r:user_home_t:s0 /usr/local/bin/loginformer.py
But which context should I set to the script?
UPDATE 2
Also, I think SELinux AVC logs may be very useful for detection of problem. I'm sorry I didn't give it earlier.
cat /var/log/audit/audit.log | grep loginformer.py
return a lot of same strings:
type=AVC msg=audit(1433784991.570:265): avc: denied { execute } for pid=7866 comm="sshd" name="loginfomer.py" dev="vda1" ino=11924 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
Best Answer
The order in which
pam_exec
andpam_selinux
are invoked is important. Man page forpam_selinux
notes:Similarly, Dan Walsh writes about the topic:
Also note that your script currently has security context of
user_home_t
, which is not likely compatible with the default policy (file contexts are preserved when file is moved; if you created the file in your home directory moving the file will preserve the original context). You probably should use the defaultbin_t
context. To restore the default context:If your script does not do anything too special, placing
pam_exec
beforepam_selinux
and restring the context should be enough to fix your issue.