The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

NativeSPSELinux

What is SELinux?

Security Enhanced Linux (SELinux) is a technology that extends the basic access control mechanisms of the Unix model (file ownership, file access permission modes and a general exception for "root") with an additional layer of so-called mandatory access controls controlled by detailed access policies.

In most Linux distributions that include SELinux, potentially vulnerable daemons such as web servers are confined by policy allowing them only the minimal access required to perform their functions. This means that even a subverted daemon is limited in the amount of damage that it can do to the system.

SELinux is shipped with many Linux distributions, including Red Hat Enterprise Linux, CentOS, Fedora and Debian Etch. In RHEL and CentOS distributions, it is enabled in an "enforcing" mode by default.

Current Status and New Policy Development

At the present time, we do not support the SP in conjunction with SELinux, and at minimum we know that communication between the mod_shib and shibd components will fail if it's enabled. Other problems may also occur. We therefore suggest that during any initial setup or testing, that SELinux be left disabled or in permissive mode, and we don't officially support the SP's use with it enabled.

There had been some intention to work on building policy modules for use with Shibboleth 2.x, but the interest in this waned as SELinux adoption lagged and there are no developers on the project with the necessary expertise. We welcome assistance from the community, but it would require a commitment to maintain such a deliverable as new releases are done.

Outside documentation that unoffically describes ways to use them together include: