Generate shibshar.fc; use shibshar.te directly.
The policy files are neither built NOR installed, currently.
Also fix a small configure bug.
git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@1460
cb58f699-b61c-0410-a6fe-
9272a202ed29
SUBDIRS = $(WANT_SUBDIRS)
DIST_SUBDIRS = doc oncrpc shib schemas configs shib-target shar test \
- apache siterefresh shib-mysql-ccache xmlproviders
+ apache siterefresh shib-mysql-ccache xmlproviders selinux
all-local: shibboleth.spec
#error must use patched version 2.6.1 provided by Shibboleth project (http://wayf.internet2.edu/shibboleth/)
#endif])],
[AC_MSG_RESULT(OK)],
- [AC_MSG_FAILURE([Shibboleth requires patched Xerces version 2.6.1 (http://wayf.internet2.edu/shibboleth/)])])
+ [AC_MSG_ERROR([Shibboleth requires patched Xerces version 2.6.1 (http://wayf.internet2.edu/shibboleth/)])])
AC_TRY_LINK(
[#include <xercesc/util/PlatformUtils.hpp>],
[xercesc::XMLPlatformUtils::Initialize()],
AC_CONFIG_FILES([Makefile doc/Makefile shib/Makefile schemas/Makefile \
configs/Makefile oncrpc/Makefile oncrpc/rpc/Makefile \
shib-target/Makefile shar/Makefile siterefresh/Makefile \
- test/Makefile xmlproviders/Makefile])
+ test/Makefile xmlproviders/Makefile selinux/Makefile])
# now deal with the rpc library, to see if we need to build our own
--- /dev/null
+Makefile.in
+Makefile
+shibshar.fc
--- /dev/null
+## $Id$
+
+AUTOMAKE_OPTIONS = foreign
+
+varrundir = /var/run
+BUILDFILES = shibshar.fc
+CLEANFILES = $(BUILDFILES)
+
+all-data-local: $(BUILDFILES)
+
+install-data-local: all-data-local
+
+shibshar.fc: ${srcdir}/shibshar.fc.in Makefile ${top_builddir}/config.status
+ rm -f $@.tmp
+ sed < ${srcdir}/$@.in > $@.tmp \
+ -e 's:@-SBINDIR-@:${sbindir}:' \
+ -e 's:@-VARRUNDIR-@:${varrundir}:'
+ cmp -s $@ $@.tmp || mv $@.tmp $@
+ rm -f $@.tmp
+
+EXTRA_DIST = .cvsignore shibshar.fc.in shibshar.te
--- /dev/null
+# Shibboleth SHAR
+@-SBINDIR-@/shar -- system_u:object_r:shibshar_exec_t
+@-VARRUNDIR-@/shib-shar\.sock -s system_u:object_r:shibshar_var_run_t
+
--- /dev/null
+# Shibboleth SHAR
+
+# Define the shibshar daemon.
+daemon_domain(shibshar)
+
+# Transition the shar socket to the shibshar_var_run_t type
+# when the shar creates it
+file_type_auto_trans(shibshar_t, var_run_t, shibshar_var_run_t, sock_file)
+
+# Enable the shar to work
+can_exec(shibshar_t, shibshar_exec_t)
+uses_shlib(shibshar_t)
+can_network(shibshar_t)
+can_tcp_connect(shibshar_t, unconfined_t)
+allow shibshar_t etc_t:file r_file_perms;
+allow shibshar_t bin_t:dir r_dir_perms;
+allow shibshar_t bin_t:file rx_file_perms;
+allow shibshar_t var_log_t:dir rw_dir_perms;
+allow shibshar_t var_log_t:file rw_file_perms;
+allow shibshar_t var_log_t:file { create };
+
+allow shibshar_t shibshar_t:unix_stream_socket create_stream_socket_perms;
+allow shibshar_t shibshar_t:netlink_route_socket { create bind };
+
+# Enable HTTPD to connect to the shib-shar socket and read/write to it
+can_unix_connect(httpd_t, shibshar_var_run_t)
+allow httpd_t shibshar_var_run_t:sock_file { write };
+allow httpd_t shibshar_t:unix_stream_socket { connectto };
+