Versions Compared

Version Old Version 1 New Version 2
Changes made by

Ian Young

Ian Young

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For the immediate future, the new policy modules will be kept separate from the main development stream. It is likely that the new SELinux policy will be integrated into the Shibboleth 2.0 packages at some point. This is less likely to be the case for Shibboleth 1.3 as development effort moves to Shibboleth 2.0.

Installing Experimental Policy Modules

This section provides instructions for people testing the new policy modules.

Preparing Your System

SELinux may be in one of three states on your system:

  • disabled
  • enabled and permissive
  • enabled and enforcing

Before installing the new policy modules, you should get Shibboleth and your application working with SELinux enabled but permissive.

You can find out whether SELinux is enabled and, if so, which mode it is running in using the sestatus command.

Code Block

[root@shib selinux]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

If your SELinux status is disabled, you must enable SELinux. In RHEL5, this can be done with the system-config-securitylevel GUI command. Under the SELinux tab, change the SELinux setting from "Disabled" to "Permissive" and select OK.

Note that if SELinux was previously disabled, it is likely that most of your files have incorrect (or no) security context labels. To fix this, system-config-securitylevel should ask to reboot your system so that the file system can be relabelled.

If SELinux is currently in enforcing mode, it is probably simplest to use system-config-securitylevel to change to permissive mode initially.

Once you have installed the policy files and verified that things appear to be working, you can transition the system to enforcing mode for production use.

With SELinux enabled in permissive mode, get your Shibboleth SP and your application working. Once it is working, proceed to policy installation.

Installing SELinux Policy

The new SELinux policy comes distributed in a file with a name like shibd-selinux-x.x.x.y.tar.gz, where x.x.x is a Shibboleth version number and y is a build number for the file. Unpack this file to produce a directory called shibd-selinux-x.x.x.y. Inside you should find: