From: Derek Atkins Date: Thu, 31 Mar 2005 23:02:42 +0000 (+0000) Subject: First pass at some SELinux policies for the Shibboleth SP. X-Git-Tag: 1.3~305 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-sp.git;a=commitdiff_plain;h=b34502bdeef96aa7f9aca37b2035030be2e4a5e3 First pass at some SELinux policies for the Shibboleth SP. Generate shibshar.fc; use shibshar.te directly. The policy files are neither built NOR installed, currently. Also fix a small configure bug. --- diff --git a/Makefile.am b/Makefile.am index 46b65e8..60dbd1d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -22,7 +22,7 @@ WANT_SUBDIRS = @WANT_SUBDIRS@ SUBDIRS = $(WANT_SUBDIRS) DIST_SUBDIRS = doc oncrpc shib schemas configs shib-target shar test \ - apache siterefresh shib-mysql-ccache xmlproviders + apache siterefresh shib-mysql-ccache xmlproviders selinux all-local: shibboleth.spec diff --git a/configure.ac b/configure.ac index 8cb5521..7a892c8 100644 --- a/configure.ac +++ b/configure.ac @@ -192,7 +192,7 @@ int i = 0; #error must use patched version 2.6.1 provided by Shibboleth project (http://wayf.internet2.edu/shibboleth/) #endif])], [AC_MSG_RESULT(OK)], - [AC_MSG_FAILURE([Shibboleth requires patched Xerces version 2.6.1 (http://wayf.internet2.edu/shibboleth/)])]) + [AC_MSG_ERROR([Shibboleth requires patched Xerces version 2.6.1 (http://wayf.internet2.edu/shibboleth/)])]) AC_TRY_LINK( [#include ], [xercesc::XMLPlatformUtils::Initialize()], @@ -241,7 +241,7 @@ WANT_SUBDIRS="doc shib schemas configs shib-target shar siterefresh test xmlprov AC_CONFIG_FILES([Makefile doc/Makefile shib/Makefile schemas/Makefile \ configs/Makefile oncrpc/Makefile oncrpc/rpc/Makefile \ shib-target/Makefile shar/Makefile siterefresh/Makefile \ - test/Makefile xmlproviders/Makefile]) + test/Makefile xmlproviders/Makefile selinux/Makefile]) # now deal with the rpc library, to see if we need to build our own diff --git a/selinux/.gitignore b/selinux/.gitignore new file mode 100644 index 0000000..3d02e90 --- /dev/null +++ b/selinux/.gitignore @@ -0,0 +1,3 @@ +/Makefile.in +/Makefile +/shibshar.fc \ No newline at end of file diff --git a/selinux/Makefile.am b/selinux/Makefile.am new file mode 100644 index 0000000..c13c06e --- /dev/null +++ b/selinux/Makefile.am @@ -0,0 +1,21 @@ +## $Id$ + +AUTOMAKE_OPTIONS = foreign + +varrundir = /var/run +BUILDFILES = shibshar.fc +CLEANFILES = $(BUILDFILES) + +all-data-local: $(BUILDFILES) + +install-data-local: all-data-local + +shibshar.fc: ${srcdir}/shibshar.fc.in Makefile ${top_builddir}/config.status + rm -f $@.tmp + sed < ${srcdir}/$@.in > $@.tmp \ + -e 's:@-SBINDIR-@:${sbindir}:' \ + -e 's:@-VARRUNDIR-@:${varrundir}:' + cmp -s $@ $@.tmp || mv $@.tmp $@ + rm -f $@.tmp + +EXTRA_DIST = .cvsignore shibshar.fc.in shibshar.te diff --git a/selinux/shibshar.fc.in b/selinux/shibshar.fc.in new file mode 100644 index 0000000..8c1b4d2 --- /dev/null +++ b/selinux/shibshar.fc.in @@ -0,0 +1,4 @@ +# Shibboleth SHAR +@-SBINDIR-@/shar -- system_u:object_r:shibshar_exec_t +@-VARRUNDIR-@/shib-shar\.sock -s system_u:object_r:shibshar_var_run_t + diff --git a/selinux/shibshar.te b/selinux/shibshar.te new file mode 100644 index 0000000..32c766c --- /dev/null +++ b/selinux/shibshar.te @@ -0,0 +1,29 @@ +# Shibboleth SHAR + +# Define the shibshar daemon. +daemon_domain(shibshar) + +# Transition the shar socket to the shibshar_var_run_t type +# when the shar creates it +file_type_auto_trans(shibshar_t, var_run_t, shibshar_var_run_t, sock_file) + +# Enable the shar to work +can_exec(shibshar_t, shibshar_exec_t) +uses_shlib(shibshar_t) +can_network(shibshar_t) +can_tcp_connect(shibshar_t, unconfined_t) +allow shibshar_t etc_t:file r_file_perms; +allow shibshar_t bin_t:dir r_dir_perms; +allow shibshar_t bin_t:file rx_file_perms; +allow shibshar_t var_log_t:dir rw_dir_perms; +allow shibshar_t var_log_t:file rw_file_perms; +allow shibshar_t var_log_t:file { create }; + +allow shibshar_t shibshar_t:unix_stream_socket create_stream_socket_perms; +allow shibshar_t shibshar_t:netlink_route_socket { create bind }; + +# Enable HTTPD to connect to the shib-shar socket and read/write to it +can_unix_connect(httpd_t, shibshar_var_run_t) +allow httpd_t shibshar_var_run_t:sock_file { write }; +allow httpd_t shibshar_t:unix_stream_socket { connectto }; +