To integrate PingID with Linux distributions that use SELinux restrictions, you must update SELinux policy.
Overview
SELinux is an extended permissions system that is present in most of the Linux distributions.
On CentOS and RHEL 7, SELinux is set to enforcing mode. It is configured to prevent
sshd service and local login processes from making outbound HTTPS connections and
creating or updating files in the file system. However, these operations are
necessary for pam_pingid
module to connect to PingID servers and to
perform logging according to pingid.conf settings.
In other words, default SELinux settings and policies of CentOS 7 and RHEL 7 prevent the PAM module of PingID SSH from functioning properly when it is used with the sshd service or a local login process.
With PingID SSH agent 4.0.13, the user can easily update SELinux policy to allow the PAM
module to work on CentOS and RHEL 7. When building PingID SSH from source code, the
user can pass the --enable-selinux
flag to the configure
command.
./configure --with-pam --enable-selinux
This causes processes with sshd_t
and local_login_t
SELinux
context types, or simply sshd and login processes, to be able to:
- Establish TCP connections to the set of ports that SELinux associates with HTTP/HTTPS protocols. The default ports are: 888, 80, 81, 443, 488, 8008, 8009, 8443, and 9000.
-
Create a file, open a file, write to a file opened with the
O_APPEND
flag for files withvar_log_t
SELinux context type. Files inside the /var/log directory by default havevar_log_t
SELinux context type.If you need to write PingID log files into a directory, such as /tmp/pingid.log, then such an operation is still blocked by SELinux. To enable writing to this file, create the file manually and change its SELinux context type to
var_log_t:
.touch /tmp/pingid.log semanage fcontext -a -t var_log_t /tmp/pingid.log restorecon -v /tmp/pingid.log
Prerequisites
To enable the configure command to update the SELinux policy, the following packages must be installed on the OS:
policycoreutils
selinux-policy-devel
Disable PingID policies
To disable the SELinux policies added by PingID agent installation, run the following commands as root.
# disable local login policy
setsebool -P allow_pam_pingid_local_login=off
# disable sshd policy
setsebool -P allow_pam_pingid_sshd=off
# disable both policies
setsebool -P allow_pam_pingid_local_login=off allow_pam_pingid_sshd=off
Remove PingID policies
To remove all PingID SELinux policies, run the following command as root.
# remove all pingid policies
semodule -r pingid