...
A new policy module has been developed for Shibboleth 1.3. This has been tested to some extent under Red Hat Enterprise Linux 5 (CentOS 5) and more testers are now required. Please contact ~ian@iay.org.uk Ian Young if you would like to assist with this.A similar new policy module will be developed for Shibboleth 2.0. Again, please contact ~ian@iay.org.uk if you would be able to assist in testing this.
For the immediate future, the new policy modules will be kept separate from the main development stream. It is likely that the new SELinux policy will be integrated into the Shibboleth 2.0 packages at some point. This is less likely to be the case for Shibboleth 1.3 as development effort moves to Shibboleth 2.0.
Installing Experimental Policy Modules
This section provides instructions for people testing the new policy modules.
Preparing Your System
SELinux may be in one of three states on your system:
- disabled
- enabled and permissive
- enabled and enforcing
Before installing the new policy modules, you should get Shibboleth and your application working with SELinux enabled but permissive.
You can find out whether SELinux is enabled and, if so, which mode it is running in using the sestatus command.
| Code Block |
|---|
[root@shib selinux]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
|
If your SELinux status is disabled, you must enable SELinux. In RHEL5, this can be done with the system-config-securitylevel GUI command. Under the SELinux tab, change the SELinux setting from "Disabled" to "Permissive" and select OK.
Note that if SELinux was previously disabled, it is likely that most of your files have incorrect (or no) security context labels. To fix this, system-config-securitylevel should ask to reboot your system so that the file system can be relabelled.
If SELinux is currently in enforcing mode, it is probably simplest to use system-config-securitylevel to change to permissive mode initially.
Once you have installed the policy files and verified that things appear to be working, you can transition the system to enforcing mode for production use.
With SELinux enabled in permissive mode, get your Shibboleth SP and your application working. Once it is working, proceed to policy installation.
Installing SELinux Policy
The new SELinux policy comes distributed in a file with a name like shibd-selinux-x.x.x.y.tar.gz, where x.x.x is a Shibboleth version number and y is a build number for the file. Unpack this file to produce a directory called shibd-selinux-x.x.x.y. Inside you should find:
- Source files:
shibd.fcis the file context policy source fileshibd.teis the type enforcement policy source fileshibd.ifis the policy interface source fileMakefilewould allow you to rebuild the policy module if you had all the appropriate development packages installed; you can ignore it
- Deliverables:
relabelis used to apply appropriate security contexts to critical filesshibdis a replacement service control file for the daemonshibd.ppis the compiled policy module
To install policy, proceed as follows:
| Code Block |
|---|
# service shibd stop
# service httpd stop
# cp shibd /etc/init.d/shibd
# chmod +x /etc/init.d/shibd
# semodule -i shibd.pp
# ./relabel
|
Once your policy is installed, you can start testing.
Testing Experimental Policy
The way you will find out if the experimental policy is failing in your system is by SELinux denial messages in the /var/log/messages file. It's worth opening a window to monitor this:
| Code Block |
|---|
# tail -f /var/log/messages
|
Now, restart the Shibboleth daemon and your web server:
| Code Block |
|---|
# service shibd start
# service httpd start
|
At this point, you should be able to access your application without any denial messages being issued. If you do see problems, please report them in the Internet2 JIRA system on the C++ SP project, specifying the SELinux component.