ASW | Help: Admin/Shibboleth/sp/Selinux

This information is not yet verified by testing

To configure SELinux to allow Apache (where mod_shib is loaded) to connect to shibd you need to create a policy type enforcement file defining a policy module named mod_shib-to-shibd.

(1) create the file mod_shib-to-shibd.te with the following contents:

    module mod_shib-to-shibd 1.0;

    require {
            type var_run_t;
            type httpd_t;
            type initrc_t;
            class sock_file write;
            class unix_stream_socket connectto;
    }

    #============= httpd_t ==============
    allow httpd_t initrc_t:unix_stream_socket connectto;
    allow httpd_t var_run_t:sock_file write;

(2) Compile, package and load the module with:

    checkmodule -m -M -o mod_shib-to-shibd.mod mod_shib-to-shibd.te 
    semodule_package -o mod_shib-to-shibd.pp -m mod_shib-to-shibd.mod
    semodule -i mod_shib-to-shibd.pp

If you still encounter SELinux errors, the following may prove helpful:

yum install policycoreutils-python
cd /etc/shibboleth
grep httpd_t /var/log/audit/audit.log | grep shibboleth | audit2allow -M httpd_shibd
semodule -i httpd_shibd.pp

(You may need to do this more than once)

Account Services on the Web

Page Help