PingID Administration Guide

Integration with RHEL-based distributions incorporating extended SELinux restrictions

To integrate PingID with Linux distributions that use SELinux restrictions, you must update SELinux policy.

Overview

SELinux is an extended permissions system that is present in most of the Linux distributions.

On CentOS and RHEL 7, SELinux is set to enforcing mode. It is configured to prevent sshd service and local login processes from making outbound HTTPS connections and creating or updating files in the file system. However, these operations are necessary for pam_pingid module to connect to PingID servers and to perform logging according to pingid.conf settings.

In other words, default SELinux settings and policies of CentOS 7 and RHEL 7 prevent the PAM module of PingID SSH from functioning properly when it is used with the sshd service or a local login process.

With PingID SSH agent 4.0.13, the user can easily update SELinux policy to allow the PAM module to work on CentOS and RHEL 7. When building PingID SSH from source code, the user can pass the --enable-selinux flag to the configure command.

./configure --with-pam --enable-selinux

This causes processes with sshd_t and local_login_t SELinux context types, or simply sshd and login processes, to be able to:

  • Establish TCP connections to the set of ports that SELinux associates with HTTP/HTTPS protocols. The default ports are: 888, 80, 81, 443, 488, 8008, 8009, 8443, and 9000.

  • Create a file, open a file, write to a file opened with the O_APPEND flag for files with var_log_t SELinux context type. Files inside the /var/log directory by default have var_log_t SELinux context type.

    If you need to write PingID log files into a directory, such as /tmp/pingid.log, then such an operation is still blocked by SELinux. To enable writing to this file, create the file manually and change its SELinux context type to var_log_t:.

    touch /tmp/pingid.log
    semanage fcontext -a -t var_log_t /tmp/pingid.log
    restorecon -v /tmp/pingid.log

Prerequisites

To enable the configure command to update the SELinux policy, the following packages must be installed on the OS:

  • policycoreutils

  • selinux-policy-devel

Disable PingID policies

To disable the SELinux policies added by PingID agent installation, run the following commands as root.

# disable local login policy
setsebool -P allow_pam_pingid_local_login=off

# disable sshd policy
setsebool -P allow_pam_pingid_sshd=off

# disable both policies
setsebool -P allow_pam_pingid_local_login=off allow_pam_pingid_sshd=off

Remove PingID policies

To remove all PingID SELinux policies, run the following command as root.

# remove all pingid policies
semodule -r pingid