Merge pull request #10199 from IQSS/10193_Shibboleth_SELinux

ofahimIQSS · web-flow · commit 66abe87fa59d · 2024-11-19T11:48:28.000-05:00
document configuring SELinux for Shibboleth
diff --git a/doc/sphinx-guides/source/developers/selinux.rst b/doc/sphinx-guides/source/developers/selinux.rst
@@ -8,7 +8,7 @@ SELinux
 Introduction
 ------------
 
-The ``shibboleth.te`` file below that is mentioned in the :doc:`/installation/shibboleth` section of the Installation Guide was created on CentOS 6 as part of https://github.com/IQSS/dataverse/issues/3406 but may need to be revised for future versions of RHEL/CentOS (pull requests welcome!). The file is versioned with the docs and can be found in the following location:
+The ``shibboleth.te`` file below that was mentioned in the :doc:`/installation/shibboleth` section of the Installation Guide was created on CentOS 6 as part of https://github.com/IQSS/dataverse/issues/3406 but may need to be revised for future versions of RHEL/CentOS (pull requests welcome!). The file is versioned with the docs and can be found in the following location:
 
 ``doc/sphinx-guides/source/_static/installation/files/etc/selinux/targeted/src/policy/domains/misc/shibboleth.te``
 
diff --git a/doc/sphinx-guides/source/installation/shibboleth.rst b/doc/sphinx-guides/source/installation/shibboleth.rst
@@ -205,43 +205,21 @@ The first and easiest option is to set ``SELINUX=permisive`` in ``/etc/selinux/c
 Reconfigure SELinux to Accommodate Shibboleth
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The second (more involved) option is to use the ``checkmodule``, ``semodule_package``, and ``semodule`` tools to apply a local policy to make Shibboleth work with SELinux. Let's get started.
+Issue the following commands to allow Shibboleth to function when SELinux is enabled:
 
-Put Type Enforcement (TE) File in misc directory
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Copy and paste or download the :download:`shibboleth.te <../_static/installation/files/etc/selinux/targeted/src/policy/domains/misc/shibboleth.te>` Type Enforcement (TE) file below and put it at ``/etc/selinux/targeted/src/policy/domains/misc/shibboleth.te``.
-
-.. literalinclude:: ../_static/installation/files/etc/selinux/targeted/src/policy/domains/misc/shibboleth.te
-   :language: text
-
-(If you would like to know where the ``shibboleth.te`` came from and how to hack on it, please see the :doc:`/developers/selinux` section of the Developer Guide. Pull requests are welcome!)
-
-Navigate to misc directory
-^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-``cd /etc/selinux/targeted/src/policy/domains/misc``
-
-Run checkmodule
-^^^^^^^^^^^^^^^
-
-``checkmodule -M -m -o shibboleth.mod shibboleth.te``
-
-Run semodule_package
-^^^^^^^^^^^^^^^^^^^^
-
-``semodule_package -o shibboleth.pp -m shibboleth.mod``
-
-Silent is golden. No output is expected.
-
-Run semodule
-^^^^^^^^^^^^
+.. code-block:: none
 
-``semodule -i shibboleth.pp``
+    # Allow httpd to connect to network and read content
+    sudo /usr/sbin/setsebool -P httpd_can_network_connect 1
+    sudo /usr/sbin/setsebool -P httpd_read_user_content 1
 
-Silent is golden. No output is expected. This will place a file in ``/etc/selinux/targeted/modules/active/modules/shibboleth.pp`` and include "shibboleth" in the output of ``semodule -l``. See the ``semodule`` man page if you ever want to remove or disable the module you just added.
+    # Allow httpd to connect to Shib socket
+    sudo grep httpd_t /var/log/audit/audit.log |/usr/bin/audit2allow -M allow_httpd_shibd_sock
+    sudo /usr/sbin/semodule -i allow_httpd_shibd_sock.pp
 
-Congrats! You've made the creator of https://stopdisablingselinux.com proud. :)
+    # Allow httpd to read /var/cache/shibboleth
+    sudo /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/cache/shibboleth(/.*)?"
+    sudo /usr/sbin/restorecon -vR /var/cache/shibboleth
 
 Restart Apache and Shibboleth
 -----------------------------
