Page tree
Skip to end of metadata
Go to start of metadata

What is SELinux?

Security Enhanced Linux (SELinux) is a technology that extends the basic access control mechanisms of the Unix model (file ownership, file access permission modes and a general exception for "root") with an additional layer of so-called mandatory access controls controlled by detailed access policies.

In most Linux distributions that include SELinux, potentially vulnerable daemons such as web servers are confined by policy allowing them only the minimal access required to perform their functions. This means that even a subverted daemon is limited in the amount of damage that it can do to the system.

SELinux is shipped with many Linux distributions, including Red Hat Enterprise Linux, CentOS, Fedora and Debian Etch. In RHEL and CentOS distributions, it is enabled in an "enforcing" mode by default.

Current Status and New Policy Development

At the present time, we do not support the SP in conjunction with SELinux, and at minimum we know that communication between the mod_shib and shibd components will fail if it's enabled. Other problems may also occur. We therefore suggest that during any initial setup or testing, that SELinux be left disabled or in permissive mode, and we don't officially support the SP's use with it enabled.

There had been some intention to work on building policy modules for use with Shibboleth 2.x, but the interest in this waned as SELinux adoption lagged and there are no developers on the project with the necessary expertise. We welcome assistance from the community, but it would require a commitment to maintain such a deliverable as new releases are done.

Outside documentation that unoffically describes ways to use them together include:

  • No labels

1 Comment

  1. I honestly don't think writing a module is necessary.

    You just have to give the correct selinux type to everything under /var/log/shibboleth-www. By default it's type httpd_log_t on which SELinux does allow neither "rename" nor "unlink".

    A quick look at the vast array of already available possibilities suggest httpd_sys_rw_content_t would be a better idea.

    So :


           semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/shibboleth-www(/.*)?"

           restorecon -F -R -v /var/log/shibboleth-www


    Also make sure your shibboleth2.xml (and othe config files in /etc/shibboleth) have type etc_t (it's often changed as these files travel around). This should suffice:


           restorecon -F -R -v /etc/shibboleth


    Perhaps I should point out that this was successfully tested on a SELinux-enforcing RHEL7 machine with default policy, and the httpd_can_network_connect SELinux boolean set to true, like so:


    setsebool -P httpd_can_network_connect on