Account Services on the Web

This information is not yet verified by testing

To configure SELinux to allow Apache (where mod_shib is loaded) to connect to shibd you need to create a policy type enforcement file defining a policy module named mod_shib-to-shibd.

(1) create the file mod_shib-to-shibd.te with the following contents:

module mod_shib-to-shibd 1.0; require { type var_run_t; type httpd_t; type initrc_t; class sock_file write; class unix_stream_socket connectto; } #============= httpd_t ============== allow httpd_t initrc_t:unix_stream_socket connectto; allow httpd_t var_run_t:sock_file write;

(2) Compile, package and load the module with:

checkmodule -m -M -o mod_shib-to-shibd.mod mod_shib-to-shibd.te semodule_package -o mod_shib-to-shibd.pp -m mod_shib-to-shibd.mod semodule -i mod_shib-to-shibd.pp

If you still encounter SELinux errors, the following may prove helpful:
yum install policycoreutils-python cd /etc/shibboleth grep httpd_t /var/log/audit/audit.log | grep shibboleth | audit2allow -M httpd_shibd semodule -i httpd_shibd.pp
(You may need to do this more than once)