Getting list of all configured IDPs from Shibboleth SP

David Beaumont D.Beaumont at kent.ac.uk
Fri Feb 3 22:45:41 GMT 2012


This works for me:

module apacheshibsocket 1.0;

require {
        type var_run_t;
        type httpd_t;
        type initrc_t;
        type initrc_var_run_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file {open read};
}

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_var_run_t:file {open read};

The first two 'allow' lines give access to the shibd socket. The last allows access to the DiscoFeed json cache file. This may not be the most secure policy but it can't be any worse than disabling SELinux. Install with these commands:

$ checkmodule -M -m -o apacheshibsocket.mod apacheshibsocket.te
$ semodule_package -o apacheshibsocket.pp -m apacheshibsocket.mod
$ semodule -i apacheshibsocket.pp

Best of luck,
David


On 3 Feb 2012, at 22:35, Tom Poage wrote:

> SELinux?
> 
> The DS won't work when set to Enforcing (and I haven't worked out a
> policy for it).
> 
> Tom.
> 
> On 02/03/2012 01:43 PM, Eugene Dvorkin wrote:
>> This is not my case. This is brand new installation, 2.4 - I installed
>> it couple days ago on CentOs from rpm.  The handler exist in
>> shibboleth2.xml and uncommented. Probably I misconfigured something.
>> 
> ...
>> 
>> <*Handler type="DiscoveryFeed*" Location="/DiscoFeed"/>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



More information about the users mailing list