IBM Support

Running IBM Security Verify Gateway for Linux PAM on an SELinux-enabled system

How To


Summary

This document explains how to make outbound HTTPS connections from IBM Security Verify Gateway for Linux PAM when it's running on an SELinux-enabled system such as Red Hat 8.x.

Steps

The IBM Security Verify Gateway for Linux PAM module supports multi-factor authentication (MFA). When the PAM module is run on Red Hat 8.x or another Linux distribution that has SELinux enabled, the module may fail to connect to the IBM Security Verify cloud. The likely problem is that the SSH daemon process does not have permission to make outbound TCP/IP (HTTPS) connections to a remote host. You have several options to resolve the problem:

(a) Leverage an existing SELinux boolean

Red Hat 8.x ships with a few SELinux booleans which allow the SSH daemon to initiate HTTPS connections. The specific booleans available to you will depend on which packages you have installed. Two examples are:

  1. authlogin_yubikey
  2. nis_enabled

You can determine if these are present by running a command such as

# semanage boolean -l | fgrep authlogin_yubikey

If you have an SELinux boolean, you can enable it by using “setsebool”. Here is an illustration of ssh commands from before and after setsebool is invoked:

image-20210209084406-1

(b) Leverage audit2allow

Instead of using booleans, you can run the “audit2allow” command. It generates an SELinux policy source based on audit failures logged in /var/log/audit/audit.log. Here are the steps to follow:

  1. Clear (back up if necessary) your audit.log file.
  2. Attempt an ssh login to generate an SELinux audit log failure.
  3. Create a type enforcement file (known as a .te file) using audit.log as a source.
  4. Compile and add the new policy into SELinux.

Note that the output from "audit2allow" also provides details about existing SELinux booleans, which could then be leveraged according to Option (a).

Here is an example of how you would use "audit2allow":

image-20210209084406-2

(c) Create your own SELinux boolean

For additional functionality, you can create your own custom SELinux boolean. You would take the .te file generated in Option (b) and enhance it with functions that are configurable by SELinux booleans. Besides on/off control, a custom SELinux boolean can provide support for proxy access (via http_cache_port_t) and for PAM via local login. To use this option, write a small amount of code as shown in this sample:

image-20210209084406-3

The above can be checked, packaged, and installed using the following commands:

image-20210209084406-4

SELinux booleans are initialized with a default on/off (true/false) value. In the sample code, both bool variables are initialized to true, thus defaulting to on. To later disable an SELinux boolean, you would run a command such as

setsebool mfa_pam_ibm_auth_sshd off

By using one or more of these options, you can successfully connect from an SELinux-enabled system to a remote host.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCT62","label":"IBM Security Verify"},"ARM Category":[{"code":"a8m0z000000cxv1AAA","label":"Security Verify-\u003EAuthentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
09 February 2021

UID

ibm16413685

Page Feedback