Skip to Content.
Sympa Menu

shibboleth-dev - SELinux and Shibboleth again

Subject: Shibboleth Developers

List archive

SELinux and Shibboleth again


Chronological Thread 
  • From: Ian Young <>
  • To: Shibboleth Developers <>, Shibboleth <>
  • Subject: SELinux and Shibboleth again
  • Date: Thu, 20 Sep 2007 18:50:41 +0100
  • Openpgp: id=EA2882BB
I mentioned this on the -dev list a couple of weeks ago. Deafening
silence in response prompts me to broaden the audience a little, but
there is new information here too.

People here will no doubt be aware that, once upon a time, Shibboleth
and the Security Enhanced Linux extensions played reasonably nicely
together, thanks to SELinux policy written originally by Derek Atkins.

They'll probably also be aware that SELinux has been a target moving
with sufficient speed that we haven't been able to track it well since
then. People have been having trouble since at least FC3 that I
remember, and it has been completely broken since around the time of FC5
due to a fundamental change in the ways policy is modularised, built and
installed in newer systems.

I've been working with Scott to try and address this. I now have a
working SELinux policy for Shibboleth 1.3 that works in the newer
framework. This is in the form of a loadable policy module, so the
installation process is a little less intrusive than before, too.

If you are interested in running Shibboleth in SELinux-secured systems,
I'd be grateful for your help in testing this out. If you'd like to
help, please contact me here or off-list and I'll arrange to get you set
up. I have established a page on the Shibboleth wiki with background,
and as a place to record instructions, hints and tips:

https://spaces.internet2.edu/x/QBU

When contacting me, please give me some idea of which environments you'd
be interested in testing. The development environment for this has been
CentOS 5 (i.e., Red Hat Enterprise Linux 5) but it may well work to some
extent in other similar systems such as recent editions of Fedora Core
and Fedora (anything that uses the modular targeted "reference" policy
with loadable policy modules). Other systems, such as those that
predate the "reference" policy (RHEL/CentOS 4, Fedora Core up to FC4,
etc.) probably can't run this policy, I'm afraid. Please let me know
anyway if that's a problem for you.

The expectation is that I'll maintain this as a separate thing until it
becomes debugged and after that until there is a window for
re-integrating it with the main releases.

-- Ian

  • SELinux and Shibboleth again, Ian Young, 09/20/2007

Archive powered by MHonArc 2.6.16.

Top of Page