Page tree
Skip to end of metadata
Go to start of metadata

What is SELinux?

Security Enhanced Linux (SELinux) is a technology that extends the basic access control mechanisms of the Unix model (file ownership, file access permission modes and a general exception for "root") with an additional layer of so-called mandatory access controls controlled by detailed access policies.

In most Linux distributions that include SELinux, potentially vulnerable daemons such as web servers are confined by policy allowing them only the minimal access required to perform their functions. This means that even a subverted daemon is limited in the amount of damage that it can do to the system.

SELinux is shipped with many Linux distributions, including Red Hat Enterprise Linux, CentOS, Fedora and Debian Etch. In RHEL and CentOS distributions, it is enabled in an "enforcing" mode by default.

Current Status and New Policy Development

At the present time, we do not support the SP in conjunction with SELinux, and at minimum we know that communication between the mod_shib and shibd components will fail if it's enabled. Other problems may also occur. We therefore suggest that during any initial setup or testing, that SELinux be left disabled or in permissive mode, and we don't officially support the SP's use with it enabled.

There had been some intention to work on building policy modules for use with Shibboleth 2.x, but the interest in this waned as SELinux adoption lagged and there are no developers on the project with the necessary expertise. We welcome assistance from the community, but it would require a commitment to maintain such a deliverable as new releases are done.

Outside documentation that unoffically describes ways to use them together include:

  • No labels