Integration with RHEL-based distributions incorporating extended SELinux restrictions
To integrate PingID with Linux distributions that use SELinux restrictions, you must update SELinux policy.
Overview
SELinux is an extended permissions system that is present in most of the Linux distributions.
On CentOS and RHEL 7, SELinux is set to enforcing mode. It is configured to prevent sshd service and local login processes from making outbound HTTPS connections and creating or updating files in the file system. However, these operations are necessary for pam_pingid
module to connect to PingID servers and to perform logging according to pingid.conf
settings.
In other words, default SELinux settings and policies of CentOS 7 and RHEL 7 prevent the PAM module of PingID SSH from functioning properly when it is used with the sshd service or a local login process.
With PingID SSH agent 4.0.13, the user can easily update SELinux policy to allow the PAM module to work on CentOS and RHEL 7. When building PingID SSH from source code, the user can pass the --enable-selinux
flag to the configure command.
./configure --with-pam --enable-selinux
This causes processes with sshd_t
and local_login_t
SELinux context types, or simply sshd and login processes, to be able to:
-
Establish TCP connections to the set of ports that SELinux associates with HTTP/HTTPS protocols. The default ports are: 888, 80, 81, 443, 488, 8008, 8009, 8443, and 9000.
-
Create a file, open a file, write to a file opened with the
O_APPEND
flag for files withvar_log_t
SELinux context type. Files inside the/var/log
directory by default havevar_log_t
SELinux context type.If you need to write PingID log files into a directory, such as
/tmp/pingid.log
, then such an operation is still blocked by SELinux. To enable writing to this file, create the file manually and change its SELinux context type tovar_log_t:
.touch /tmp/pingid.log semanage fcontext -a -t var_log_t /tmp/pingid.log restorecon -v /tmp/pingid.log
Prerequisites
To enable the configure command to update the SELinux policy, the following packages must be installed on the OS:
-
policycoreutils
-
selinux-policy-devel
Disable PingID policies
To disable the SELinux policies added by PingID agent installation, run the following commands as root.
# disable local login policy setsebool -P allow_pam_pingid_local_login=off # disable sshd policy setsebool -P allow_pam_pingid_sshd=off # disable both policies setsebool -P allow_pam_pingid_local_login=off allow_pam_pingid_sshd=off