The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

What is SELinux?

Security Enhanced Linux (SELinux) is a technology that extends the basic access control mechanisms of the Unix model (file ownership, file access permission modes and a general exception for "root") with an additional layer of so-called mandatory access controls controlled by detailed access policies.

In most Linux distributions that include SELinux, potentially vulnerable daemons such as web servers are confined by policy allowing them only the minimal access required to perform their functions. This means that even a subverted daemon is limited in the amount of damage that it can do to the system.

SELinux is shipped with many Linux distributions, including Red Hat Enterprise Linux, CentOS, Fedora and Debian Etch. In RHEL, CentOS and Fedora distributions, it is enabled in an "enforcing" mode by default.

SELinux and Shibboleth

As SELinux becomes more popular, it is obviously important that the Shibboleth SP be able to work properly in an SELinux environment. To do this, SELinux policy needs to be added to the system's policy database both to correctly confine the shibd daemon and to allow appropriate communication between that daemon and the web server.

Back when SELinux and Shibboleth were both much younger, Derek Atkins wrote some SELinux policy that worked with the Shibboleth of the day and with the SELinux of the day. This has been shipped as a separate Shibboleth SELinux RPM alongside the main SP RPM since that time.

Unfortunately, Derek's policy no longer works, primarily because of dramatic changes in SELinux as it matured. In particular, distributions have moved from using policy based on a framework confusingly known as the "example policy" to one based on the equally unhelpfully named "reference policy". Installation of policy has also changed radically, from being based around scripted modification of the system's policy source files to one based on separately compiled policy modules.

Because Red Hat Enterprise Linux 5, CentOS 5, Fedora Core 6, Fedora 7, and Debian Etch are all based around the modular reference policy, Derek's policy is no longer installable on those systems. The simplest way to run Shibboleth on such systems at present is to disable SELinux altogether, or to set it to a "permissive" mode in which policy violations are reported but not enforced. This is obviously far from ideal.

Current Status and New Policy Development

In order to reduce confusion, we are no longer building SELinux RPMs for supported systems for Shibboleth 1.3 or Shibboleth 2.0.

A new policy module has been developed for Shibboleth 1.3. This has been tested to some extent under Red Hat Enterprise Linux 5 (CentOS 5) and more testers are now required. Please contact ~ian@iay.org.uk if you would like to assist with this.

A similar new policy module will be developed for Shibboleth 2.0. Again, please contact ~ian@iay.org.uk if you would be able to assist in testing this.

For the immediate future, the new policy modules will be kept separate from the main development stream. It is likely that the new SELinux policy will be integrated into the Shibboleth 2.0 packages at some point. This is less likely to be the case for Shibboleth 1.3 as development effort moves to Shibboleth 2.0.

  • No labels