RHEL Linux, SELinux and Shibboleth

83 views
Skip to first unread message

Venkatachalam Kannadasan

unread,
Oct 3, 2016, 2:43:44 AM10/3/16
to Dataverse Users Community
Hi Everyone

We are currently using RHEL 7 for our development server to run Dataverse. Our IT team want us to set SELinux enforcing ON and as you all know Shibboleth doesnt work with it. We would like to learn from those who are using RHEL 7, Dataverse and Shibboleth how you managed to secure the server with SELinux set to permissive. Also help to answer if you are using apache along with Glassfish.

Thanks and Regards
Venki
Nanyang Technological University

Donald Sizemore II

unread,
Oct 13, 2016, 9:11:50 AM10/13/16
to Dataverse Users Community
Hello from Chapel Hill!

As you've noted, Shibboleth with SELinux is the sticking point, as per Phil and other members of the Dataverse IRC channel, Dataverse functions fine with SELinux enforcing.

Dataverse.unc.edu is running RHEL7 with Shibboleth 2.6, with each service (glassfish, httpd, rserve, shibd) running as separate, non-privileged users.

The machine runs a host-based firewall and sits behind a hardware firewall and our campus IDS tipping points, and our campus satellite server alerts me to security patches.

Our Apache config is pretty much identical to http://guides.dataverse.org/en/latest/installation/shibboleth.html#configure-apache though we allow an additional ProxyPassMatch for an images/ subdirectory for our Shib SP logo.

Does this help?
Donald

Philip Durbin

unread,
Oct 14, 2016, 10:56:30 AM10/14/16
to dataverse...@googlegroups.com
Thanks, Don. Venki, I'm wondering if you'd be able to find someone to write a SELinux Type Enforcement (TE) file to make Shibboleth work with SELinux and contribute that file to the Shibboleth project. That's my first suggestion is this issue I just opened: https://github.com/IQSS/dataverse/issues/3406

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/9674d03a-b0aa-4174-ac3c-e08c13c30451%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Venkatachalam Kannadasan

unread,
Oct 16, 2016, 10:40:43 PM10/16/16
to Dataverse Users Community
Hello Donald

Thanks a lot for taking your time to reply for my question. Yes this would definitely help. I will share this information with my IT colleague and get him to setup Shib with SELinux enforcing. Will get back to you guys once I get this done.

Thanks and Regards
Venki

Venkatachalam Kannadasan

unread,
Oct 16, 2016, 10:46:46 PM10/16/16
to Dataverse Users Community, philip...@harvard.edu
Thanks Phil for the suggestion. Yes my IT colleague was suggesting to me that he would check the logs and add new rules to allow those that fails when using Shibboleth. But my worry was what if the issue couldnt be resolved and I am told not to use Shibboleth. That was why I am checking now to prepare for the worst case scenario. Donald's reply would be a good response that I can share to say how others have secured their servers.

As I told Donald, will keep you all updated once I hear from my IT colleague.

Thanks and Regards
Venki 


On Friday, October 14, 2016 at 10:56:30 PM UTC+8, Philip Durbin wrote:
Thanks, Don. Venki, I'm wondering if you'd be able to find someone to write a SELinux Type Enforcement (TE) file to make Shibboleth work with SELinux and contribute that file to the Shibboleth project. That's my first suggestion is this issue I just opened: https://github.com/IQSS/dataverse/issues/3406
On Thu, Oct 13, 2016 at 9:11 AM, Donald Sizemore II <don.si...@gmail.com> wrote:
Hello from Chapel Hill!

As you've noted, Shibboleth with SELinux is the sticking point, as per Phil and other members of the Dataverse IRC channel, Dataverse functions fine with SELinux enforcing.

Dataverse.unc.edu is running RHEL7 with Shibboleth 2.6, with each service (glassfish, httpd, rserve, shibd) running as separate, non-privileged users.

The machine runs a host-based firewall and sits behind a hardware firewall and our campus IDS tipping points, and our campus satellite server alerts me to security patches.

Our Apache config is pretty much identical to http://guides.dataverse.org/en/latest/installation/shibboleth.html#configure-apache though we allow an additional ProxyPassMatch for an images/ subdirectory for our Shib SP logo.

Does this help?
Donald

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
Oct 18, 2016, 8:11:22 PM10/18/16
to dataverse...@googlegroups.com
Yesterday I sat with *my* colleague and it's what we came up with. I also documented the process by which we created the "shibboleth.te" file. It's all in https://github.com/IQSS/dataverse/pull/3411/files

The bottom line is that Shibboleth seems to be working fine with SELinux enabled on a test box (CentOS 6) with the fix above applied. I'll send the pull request to QA after some code review but if you and your colleague can do some testing as well I'd appreciate it!

Phil

p.s. Oh, the bad news is that rApache doesn't work with SELinux (this isn't really news but I didn't know this was mentioned already in the Installation Guide). I don't know if you plan to use rApache though. In theory, a similar solution might work.

On Sun, Oct 16, 2016 at 10:46 PM, Venkatachalam Kannadasan <kanna...@gmail.com> wrote:
Thanks Phil for the suggestion. Yes my IT colleague was suggesting to me that he would check the logs and add new rules to allow those that fails when using Shibboleth. But my worry was what if the issue couldnt be resolved and I am told not to use Shibboleth. That was why I am checking now to prepare for the worst case scenario. Donald's reply would be a good response that I can share to say how others have secured their servers.

As I told Donald, will keep you all updated once I hear from my IT colleague.

Thanks and Regards
Venki 

On Friday, October 14, 2016 at 10:56:30 PM UTC+8, Philip Durbin wrote:
Thanks, Don. Venki, I'm wondering if you'd be able to find someone to write a SELinux Type Enforcement (TE) file to make Shibboleth work with SELinux and contribute that file to the Shibboleth project. That's my first suggestion is this issue I just opened: https://github.com/IQSS/dataverse/issues/3406
On Thu, Oct 13, 2016 at 9:11 AM, Donald Sizemore II <don.si...@gmail.com> wrote:
Hello from Chapel Hill!

As you've noted, Shibboleth with SELinux is the sticking point, as per Phil and other members of the Dataverse IRC channel, Dataverse functions fine with SELinux enforcing.

Dataverse.unc.edu is running RHEL7 with Shibboleth 2.6, with each service (glassfish, httpd, rserve, shibd) running as separate, non-privileged users.

The machine runs a host-based firewall and sits behind a hardware firewall and our campus IDS tipping points, and our campus satellite server alerts me to security patches.

Our Apache config is pretty much identical to http://guides.dataverse.org/en/latest/installation/shibboleth.html#configure-apache though we allow an additional ProxyPassMatch for an images/ subdirectory for our Shib SP logo.

Does this help?
Donald

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Tim DiLauro

unread,
Oct 21, 2016, 12:54:20 PM10/21/16
to dataverse...@googlegroups.com
Hi Phil & Venki,

Sorry to be late to this thread, but I'm short on cycles lately.

I have shibboleth working fine with Apache httpd. GitHub is down right now, so I can't look at your solution, so I'll just drop my solution here for your perusal, in case it's useful..

1) Create a policy module type enforcement src file (I typically call it http_mod_shib.te), with the following content:
module http_mod_shib 1.0;
require {
        type var_run_t;
        type httpd_t;
        type init_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t init_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

You can create it by running this command...

# cat <<"EOF" > http_mod_shib.te
module http_mod_shib 1.0;
require {
        type var_run_t;
        type httpd_t;
        type init_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t init_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;
EOF

2) Compile that into a policy module (.pp) file:
# checkmodule -M -m -o http_mod_shib.mod http_mod_shib.te
# semodule_package -o http_mod_shib.pp -m http_mod_shib.mod

3) Install the policy
# semodule -i http_mod_shib.pp

4) Apply the policy to the directory in which the shine socket is created:
# restorecon -R /var/run/shibboleth

Cheers,
~Tim


To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
Oct 26, 2016, 4:41:11 PM10/26/16
to dataverse...@googlegroups.com
Thanks, Tim! I referenced your version of the TE file at https://github.com/IQSS/dataverse/issues/3406#issuecomment-255807621

Venki, https://github.com/IQSS/dataverse/pull/3411 was just merged so the docs I wrote will be in the next release. I hope the documented solution works for you. If not, please let us know!

To post to this group, send email to dataverse-community@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Venkatachalam Kannadasan

unread,
Nov 21, 2016, 10:07:43 AM11/21/16
to Dataverse Users Community, philip...@harvard.edu
Hi Phil and Tim

Thank you for your help and for the solution which I had provided to my server admin. He wanted to make the system more restrictive but still make shibboleth work. 

So here are the steps that he has taken on RHEL7 server to support Shibboleth while keeping SELinux in enforcing mode.

 

(1) Label httpd_sys_content_t

 

  # semanage fcontext -a -t httpd_sys_content_t "/var/cache/shibboleth(/.*)?"

 

(2) Label httpd_sys_rw_content_t

 

  # semanage fcontext -a -t httpd_sys_rw_content_t '/var/run/shibboleth/shibd.sock'

 

(3) Extend shibd.service configuration

 

  # mkdir /etc/systemd/system/shibd.service.d/

 

  Create new file /etc/systemd/system/shibd.service.d/extend.conf with contents:

 

[Service]

ExecStartPost=/sbin/restorecon -R /var/run/shibboleth /var/cache/shibboleth

 

  # systemctl daemon-reload



 Phil please let me know if this works for you guys. I thought I would share this for the benefit of other RHEL 7 users.

Regards
Venki
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
Nov 21, 2016, 10:20:31 AM11/21/16
to dataverse...@googlegroups.com
Hi Venki,

Thank you very much for testing on RHEL/CentOS 7! I'm glad it's working! At this time the Dataverse team at IQSS only tests on RHEL/CentOS 6 (not 7) so can you please open a GiHub issue with the details you've provided? You can call the issue something like "Retest Shibboleth and SELinux compatibility on CentOS 7".

Thanks!

Phil

p.s. Here is the main area where we talk about CentOS 6 in the Installation Guide: "Before running the Dataverse installation script, you must install and configure the following software, preferably on a distribution of Linux such as RHEL or its derivatives such as CentOS. After following all the steps below (which have been written based on CentOS 6), you can proceed to the Installation section." http://guides.dataverse.org/en/4.5.1/installation/prerequisites.html



To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages