Shibboleth support for Dataverse requires SELinux to be disabled or set to permissive

[pdurbin]

As documented at http://guides.dataverse.org/en/4.5.1/installation/shibboleth.html#disable-selinux the way Shibboleth support has been implemented for Dataverse requires that SELinux be disabled or set to permissive.

Users such as @Venki18 have indicated at https://groups.google.com/d/msg/dataverse-community/U04sLtEkJ7Q/HTufSDqgAgAJ that "Our IT team want us to set SELinux enforcing ON". As of this writing the number one goal at http://dataverse.org/goals-roadmap-and-releases is "increase adoption (users, dataverses, datasets, installations, journals)" so we should attempt to address this issue for potential installations of Dataverse.

To be clear, Dataverse itself runs fine with SELinux enabled. It's shibd and friends that don't work with SELinux. As of this writing https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSELinux says, "At the present time, we do not support the SP in conjunction with SELinux, and at minimum we know that communication between the mod_shib and shibd components will fail if it's enabled. Other problems may also occur."

There are a few ways we could address this issue, and here is my preferred order:

• Find someone to write an SELinux Type Enforcement (TE) file ( https://selinuxproject.org/page/NB_TE ) and contribute it to the Shibboleth project so that all users of Shibboleth and SELinux can benefit. The know-how to create these files does exist in the world: https://irclog.perlgeek.de/crimsonfu/2016-10-05#i_13342065
• Switch to Ubuntu, Debian, or any other Linux distribution where SELinux doesn't exist or isn't common (Dataverse on Debian and Ubuntu #1059).
• Abandon using shibd and friends and instead implement Shibboleth (SAML) support is some other manner. Before settling on shibd I looked at OIOSAML, OpenAM, and writing our own SAML implementation, as detailed at https://docs.google.com/document/d/1y2axfd_ScmXVICFlV8AuPDdp5xHwTag54pUpVefzs5g/edit?usp=sharing

[pdurbin]

@whorka has what seems to be excellent advice in this area: "Typically, the simplest way to do this is to feed the audit log messages through the "audit2allow" tool, which generates SELinux rules to permit any of the denied operations. You can see an example of this at https://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01 ."

[pdurbin]

@whorka and I came up with this and it seems to work!

module shibboleth 1.0;

require {
    class file {open read};
    class sock_file write;
    class unix_stream_socket connectto;
    type initrc_t;
    type httpd_t;
    type var_run_t;
    type var_t;
}

allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_t:file {open read};

[pdurbin]

I just made pull request #3411 to document how to make use of the SELinux Type Enforcement (TE) file I posted above. At https://waffle.io/IQSS/dataverse I'm advancing this to Code Review and @landreev said he'd be willing to take a look since there's potential for figuring out how to get rApache to work with SELinux as well. The pull request is only a change to the Installation Guide and the Developer Guide.

@whorka suggested that we could add it to the installer as well and @landreev and I discussed this but ultimately agreed that just like how TwoRavens is an optional component and has its own installer, Shibboleth shouldn't be in the main installer either since it's also optional. That's our current thinking anyway. Maybe @donsizemore can add the SELinux magic to https://github.com/IQSS/dataverse-ansible and maybe @lwo can add it to https://github.com/IQSS/dataverse-puppet . I don't know that https://github.com/IQSS/dataverse-aws supports Shibboleth at all so I'll leave @telnoratti and @joelmarkanderson alone for now. 😄

I'd love to hear from @Venki18 if the fix works for him. It sounds like he and a colleague are starting to work on a parallel effort: https://groups.google.com/d/msg/dataverse-community/U04sLtEkJ7Q/AUUBXxffBgAJ

[pdurbin]

@djbrooke said to go ahead and add a milestone of 4.6 on this so I just did.

[pdurbin]

@landreev @Venki18 to make it easier to see the changing to the guides @kcondon just built the docs in a temporary location (thanks!). To see the "diff" please go to f9e6b14 but to see the rendered HTML pages, please visit the following places that have changed in pull request #3411:

• http://guides.dataverse.org/en/3406-shib-selinux/installation/shibboleth.html#disable-or-reconfigure-selinux
• http://guides.dataverse.org/en/3406-shib-selinux/installation/r-rapache-tworavens.html#a-httpd-apache
• http://guides.dataverse.org/en/3406-shib-selinux/developers/selinux.html

I've given this issue to @landreev for code review but I've also encouraged @Venki18 and his colleague to do some of their own testing: https://groups.google.com/d/msg/dataverse-community/U04sLtEkJ7Q/5boz_xl0BwAJ

[pdurbin]

@landreev the guy who added the Picard gif (the guy behind http://stopdisablingselinux.com ) also wrote this: "the policy looks okay to me -- but i've only tested it with my eye-parser :P" -- https://irclog.perlgeek.de/crimsonfu/2016-10-20#i_13436213

Also, on Friday @tdilauro shared his own http_mod_shib.te file with the community: https://groups.google.com/d/msg/dataverse-community/U04sLtEkJ7Q/Ea98RneSAAAJ

[pdurbin]

@landreev left his (positive) code review at #3411 (review) so this issue is now in QA.

[kcondon]

Built, doc looks ok. Trusting accuracy of content to Phil and Bill, closing.