Skip to Content.
Sympa Menu

shibboleth-dev - Shibboleth and SELinux

Subject: Shibboleth Developers

List archive

Shibboleth and SELinux


Chronological Thread 
  • From: Ian Young <>
  • To:
  • Subject: Shibboleth and SELinux
  • Date: Sat, 08 Sep 2007 16:09:49 +0100
  • Openpgp: id=EA2882BB

People here will no doubt be aware that, once upon a time, Shibboleth
and the Security Enhanced Linux extensions played reasonably nicely
together, thanks to SELinux policy written originally by Derek Atkins.

They'll probably also be aware that SELinux has been a target moving
with sufficient speed that we haven't been able to track it well since
then. People have been having trouble since at least FC3 that I
remember, and it has been completely broken since around the time of FC5
due to a fundamental change in the ways policy is modularised, built and
installed in newer systems.

I've been working with Scott to try and address this. I now have a
working SELinux policy for Shibboleth 1.3 that works in the newer
framework. This is in the form of a loadable policy module, so the
installation process is a little less intrusive than before, too.

If you are interested in running Shibboleth in SELinux-secured systems,
I'd be grateful for your help in testing this out. If you'd like to
help, please contact me here or off-list and I'll arrange to get you set
up. I will establish a page on the Shibboleth wiki to record hints and
tips.

When contacting me, please give me some idea of how SELinux-savvy you
are, and which environments you'd be interested in testing. The
development environment for this has been CentOS 5 (i.e., Red Hat
Enterprise Linux 5) but it may well work to some extent in other similar
systems such as recent editions of Fedora Core and Fedora (anything that
uses the modular targeted "reference" policy with loadable policy
modules). Other systems, such as those that predate the "reference"
policy (RHEL/CentOS 4, Fedora Core up to FC4, etc.) probably can't run
this policy, I'm afraid.

The expectation is that I'll maintain this as a separate thing until it
becomes debugged and after that until there is a window for
re-integrating it with the main releases.

-- Ian


  • Shibboleth and SELinux, Ian Young, 09/08/2007

Archive powered by MHonArc 2.6.16.

Top of Page