[refpolicy] Policy module for shibboleth authentication daemon
Christopher J. PeBenito
cpebenito at tresys.com
Fri Mar 14 10:36:33 EDT 2014
On 03/03/2014 11:41 AM, Martin Lang wrote:
> I designed a policy module for the shibboleth authentication daemon (see
> http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
> service mainly used in academic environment. The service consists of an
> apache module and a background daemon. The background daemon
> communicates with the remote authentication server whereas the apache
> only communicates locally with the authentication daemon via unix stream
> I attached the policy files to this mail and would like the module to be
> included in the reference policy. I tested the rules on a Debian wheezy
> I'm open for improvements and other comments.
It looks like a good start. The big thing that prevents its inclusion is the httpd_t usage in the module:
> # Allow the apache shibboleth module to connect to shibd
> type httpd_t;
> stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
> # Allow apache module to read shibboleth configuration
This access would need to go into the apache module.
The organization would need to be adjusted too, but that is minor.
Finally, I'd prefer that you submit it via "git format-patch -n -s" and send via "git send-email". It's not required, but it makes it easier to commit.
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy