---
title: Integration with RHEL-based distributions incorporating extended SELinux restrictions
description: To integrate PingID with Linux distributions that use SELinux restrictions, you must update SELinux policy.
component: pingid
page_id: pingid:pingid_integrations:pid_integration_rhel_distributions_selinux_restrictions
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_integration_rhel_distributions_selinux_restrictions.html
revdate: January 28, 2024
section_ids:
  overview: Overview
  prerequisites: Prerequisites
  disable-pingid-policies: Disable PingID policies
  remove-pingid-policies: Remove PingID policies
---

# Integration with RHEL-based distributions incorporating extended SELinux restrictions

To integrate PingID with Linux distributions that use SELinux restrictions, you must update SELinux policy.

## Overview

SELinux is an extended permissions system that is present in most of the Linux distributions.

On CentOS and RHEL 7, SELinux is set to enforcing mode. It is configured to prevent sshd service and local login processes from making outbound HTTPS connections and creating or updating files in the file system. However, these operations are necessary for `pam_pingid` module to connect to PingID servers and to perform logging according to `pingid.conf` settings.

In other words, default SELinux settings and policies of CentOS 7 and RHEL 7 prevent the PAM module of PingID SSH from functioning properly when it is used with the sshd service or a local login process.

With PingID SSH agent 4.0.13, the user can easily update SELinux policy to allow the PAM module to work on CentOS and RHEL 7. When building PingID SSH from source code, the user can pass the `--enable-selinux` flag to the configure command.

```
./configure --with-pam --enable-selinux
```

This causes processes with `sshd_t` and `local_login_t` SELinux context types, or simply sshd and login processes, to be able to:

* Establish TCP connections to the set of ports that SELinux associates with HTTP/HTTPS protocols. The default ports are: 888, 80, 81, 443, 488, 8008, 8009, 8443, and 9000.

* Create a file, open a file, write to a file opened with the `O_APPEND` flag for files with `var_log_t` SELinux context type. Files inside the `/var/log` directory by default have `var_log_t` SELinux context type.

  If you need to write PingID log files into a directory, such as `/tmp/pingid.log`, then such an operation is still blocked by SELinux. To enable writing to this file, create the file manually and change its SELinux context type to `var_log_t:`.

  ```
  touch /tmp/pingid.log
  semanage fcontext -a -t var_log_t /tmp/pingid.log
  restorecon -v /tmp/pingid.log
  ```

## Prerequisites

To enable the configure command to update the SELinux policy, the following packages must be installed on the OS:

* `policycoreutils`

* `selinux-policy-devel`

## Disable PingID policies

To disable the SELinux policies added by PingID agent installation, run the following commands as root.

```
# disable local login policy
setsebool -P allow_pam_pingid_local_login=off

# disable sshd policy
setsebool -P allow_pam_pingid_sshd=off

# disable both policies
setsebool -P allow_pam_pingid_local_login=off allow_pam_pingid_sshd=off
```

## Remove PingID policies

To remove all PingID SELinux policies, run the following command as root.

```
# remove all pingid policies
semodule -r pingid
```