Error: Exec-Program: Permission Denied when running via service start

Christopher Athans cathans at gmail.com
Tue Mar 29 21:20:59 CEST 2011


*sigh* it was indeed SELinux.  I thought it had it disabled.  Still
not exactly sure why when I wrapped the init.d statement with a 'sh'
it works, but nevertheless you solved my issue.  Thanks John.

On Tue, Mar 29, 2011 at 2:16 PM, John Dennis <jdennis at redhat.com> wrote:
> On 03/29/2011 03:09 PM, Christopher Athans wrote:
>>
>> Greetings all, I've been racking my brains out trying to solve/debug
>> the following issue, hopefully someone can provide a new perspective.
>>
>> I've implemented mOTP as en external authentication program by
>> defining it in radiusd.conf with a Program = "/etc/raddb/otpverify.sh"
>> statement.
>> As I said, it does indeed work properly, except, when I start the
>> radiusd server up as a daemon via init.d
>>
>> radiusd -X   - Works properly
>> service radiusd start or /etc/init.d/radiusd start FAILS
>> sh /etc/init.d/radiusd start Works
>>
>> When it works properly, I get proper Accept Replys.  When it 'fails',
>> its due to not being able to execute the script and this is logged in
>> radius.log
>> Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh:
>> Permission denied
>>
>> In all the above scenarios, I was root when executing the statements.
>> I am *not* in a chroot jail, all the necessary directories are
>> read/write by user 'radiusd' which is what the process is running as.
>> I'm also using the init.d script that came with the CentOS package.
>>
>> My linux platform and freeradius information is as follows:
>>
>> CentOS 5.5 -  2.6.18-194.32.1.el5 #1 SMP  x86_64 GNU/Linux
>> running  FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu.
>>
>>
>> Thanks for any assistance with this.
>
> Is SELinux enabled?
>
> % getenforce
>
> If it's enforcing then set it to permissive mode
>
> % setenforce 0
>
> Now does it work? If so what were your recent AVC's in
> /var/log/audit/audit.log?
>
> Not the problem? Then verify the script can run as the radiusd user.
>
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>




More information about the Freeradius-Users mailing list