...
The new SELinux policy comes distributed in a file with a name like shibd-selinux-x.x.x.y.tar.gz, where x.x.x is a Shibboleth version number and y is a build number for the file. Unpack this file to produce a directory called shibd-selinux-x.x.x.y. Inside you should find:
- Source files:
shibd.fcis the file context policy source fileshibd.teis the type enforcement policy source fileshibd.ifis the policy interface source fileMakefilewould allow you to rebuild the policy module if you had all the appropriate development packages installed; you can ignore it
- Deliverables:
relabelis used to apply appropriate security contexts to critical filesshibdis a replacement service control file for the daemonshibd.ppis the compiled policy module
To install policy, proceed as follows:
| Code Block |
|---|
# service shibd stop
# service httpd stop
# cp shibd /etc/init.d/shibd
# chmod +x /etc/init.d/shibd
# semodule -i shibd.pp
# ./relabel
|
Once your policy is installed, you can start testing.
Testing Experimental Policy
The way you will find out if the experimental policy is failing in your system is by SELinux denial messages in the /var/log/messages file. It's worth opening a window to monitor this:
| Code Block |
|---|
# tail -f /var/log/messages
|
Now, restart the Shibboleth daemon and your web server:
| Code Block |
|---|
# service shibd start
# service httpd start
|
At this point, you should be able to access your application without any denial messages being issued. If you do see problems, please report them to ~ian@iay.org.uk.