To integrate PingID with Linux distributions that use SELinux restrictions, you must update SELinux policy.
SELinux is an extended permissions system that is present in most of the Linux distributions.
On CentOS and RHEL 7, SELinux is set to enforcing mode. It is configured to prevent
sshd service and local login processes from making outbound HTTPS connections and
creating or updating files in the file system. However, these operations are
pam_pingid module to connect to PingID servers and to
perform logging according to pingid.conf settings.
In other words, default SELinux settings and policies of CentOS 7 and RHEL 7 prevent the PAM module of PingID SSH from functioning properly when it is used with the sshd service or a local login process.
With PingID SSH agent 4.0.13, the user can easily update SELinux policy to allow the PAM
module to work on CentOS and RHEL 7. When building PingID SSH from source code, the
user can pass the
--enable-selinux flag to the configure
./configure --with-pam --enable-selinux
This causes processes with
context types, or simply sshd and login processes, to be able to:
- Establish TCP connections to the set of ports that SELinux associates with HTTP/HTTPS protocols. The default ports are: 888, 80, 81, 443, 488, 8008, 8009, 8443, and 9000.
Create a file, open a file, write to a file opened with the
O_APPENDflag for files with
var_log_tSELinux context type. Files inside the /var/log directory by default have
var_log_tSELinux context type.
If you need to write PingID log files into a directory, such as /tmp/pingid.log, then such an operation is still blocked by SELinux. To enable writing to this file, create the file manually and change its SELinux context type to
touch /tmp/pingid.log semanage fcontext -a -t var_log_t /tmp/pingid.log restorecon -v /tmp/pingid.log
To enable the configure command to update the SELinux policy, the following packages must be installed on the OS:
Disable PingID policies
To disable the SELinux policies added by PingID agent installation, run the following commands as root.
# disable local login policy setsebool -P allow_pam_pingid_local_login=off # disable sshd policy setsebool -P allow_pam_pingid_sshd=off # disable both policies setsebool -P allow_pam_pingid_local_login=off allow_pam_pingid_sshd=off
Remove PingID policies
To remove all PingID SELinux policies, run the following command as root.
# remove all pingid policies semodule -r pingid