[refpolicy] Policy module for shibboleth authentication daemon

Christopher J. PeBenito cpebenito at tresys.com
Fri Mar 14 10:36:33 EDT 2014

On 03/03/2014 11:41 AM, Martin Lang wrote:
> I designed a policy module for the shibboleth authentication daemon (see
> http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
> service mainly used in academic environment. The service consists of an
> apache module and a background daemon. The background daemon
> communicates with the remote authentication server whereas the apache
> only communicates locally with the authentication daemon via unix stream
> socket.
> I attached the policy files to this mail and would like the module to be
> included in the reference policy. I tested the rules on a Debian wheezy
> machine.
> I'm open for improvements and other comments.

It looks like a good start.  The big thing that prevents its inclusion is the httpd_t usage in the module:

> # Allow the apache shibboleth module to connect to shibd
> gen_require(`
> 	type httpd_t;
> ')
> stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
> # Allow apache module to read shibboleth configuration
> shibboleth_read_config(httpd_t)

This access would need to go into the apache module.

The organization would need to be adjusted too[1], but that is minor.

[1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

Finally, I'd prefer that you submit it via "git format-patch -n -s" and send via "git send-email".  It's not required, but it makes it easier to commit.

Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list