Getting list of all configured IDPs from Shibboleth SP

David Beaumont D.Beaumont at
Fri Feb 3 22:45:41 GMT 2012

This works for me:

module apacheshibsocket 1.0;

require {
        type var_run_t;
        type httpd_t;
        type initrc_t;
        type initrc_var_run_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file {open read};

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_var_run_t:file {open read};

The first two 'allow' lines give access to the shibd socket. The last allows access to the DiscoFeed json cache file. This may not be the most secure policy but it can't be any worse than disabling SELinux. Install with these commands:

$ checkmodule -M -m -o apacheshibsocket.mod apacheshibsocket.te
$ semodule_package -o apacheshibsocket.pp -m apacheshibsocket.mod
$ semodule -i apacheshibsocket.pp

Best of luck,

On 3 Feb 2012, at 22:35, Tom Poage wrote:

> SELinux?
> The DS won't work when set to Enforcing (and I haven't worked out a
> policy for it).
> Tom.
> On 02/03/2012 01:43 PM, Eugene Dvorkin wrote:
>> This is not my case. This is brand new installation, 2.4 - I installed
>> it couple days ago on CentOs from rpm.  The handler exist in
>> shibboleth2.xml and uncommented. Probably I misconfigured something.
> ...
>> <*Handler type="DiscoveryFeed*" Location="/DiscoFeed"/>
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list