From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 14 Mar 2014 10:36:33 -0400
Subject: [refpolicy] Policy module for shibboleth authentication daemon
In-Reply-To: <5314B0AA.8080408@automata.rwth-aachen.de>
References: <5314B0AA.8080408@automata.rwth-aachen.de>
Message-ID: <532313F1.7070301@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/03/2014 11:41 AM, Martin Lang wrote:
> I designed a policy module for the shibboleth authentication daemon (see
> http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
> service mainly used in academic environment. The service consists of an
> apache module and a background daemon. The background daemon
> communicates with the remote authentication server whereas the apache
> only communicates locally with the authentication daemon via unix stream
> socket.
> 
> I attached the policy files to this mail and would like the module to be
> included in the reference policy. I tested the rules on a Debian wheezy
> machine.
> 
> I'm open for improvements and other comments.

It looks like a good start.  The big thing that prevents its inclusion is the httpd_t usage in the module:

> # Allow the apache shibboleth module to connect to shibd
> gen_require(`
> 	type httpd_t;
> ')
> stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
> 
> # Allow apache module to read shibboleth configuration
> shibboleth_read_config(httpd_t)

This access would need to go into the apache module.

The organization would need to be adjusted too[1], but that is minor.

[1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

Finally, I'd prefer that you submit it via "git format-patch -n -s" and send via "git send-email".  It's not required, but it makes it easier to commit.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com