O.K. I have checked the audit logs and there is nothing in there. But you are right, setting selinux to permissive allows the server to start. Thus, I have disabled the dontaudit rules and checked the audit log again and then you can easily find the solution: # semodule -DB # ausearch -m avc | audit2allow … #============= radiusd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow radiusd_t self:capability net_admin; #!!!! This avc can be allowed using the boolean 'radius_use_jit' allow radiusd_t self:process execmem; … The selinux policy seems already to be prepared for this issue. Thus # setsebool -P radius_use_jit=1 # getsebool radius_use_jit radius_use_jit --> on # systemctl start radiusd # semodule -B And now it starts even in enforcing mode. Regards.
On 22. Aug 2025, at 13:33, Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On 22/08/2025 12:08, Alan DeKok via Freeradius-Users wrote:
On Aug 22, 2025, at 6:57 AM, mohair.scarves.0i--- via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I can confirm this problem on AlmaLinux 9. It seems to be related to the use of pcre2 which wasn’t used before. Well, that's unfriendly. I would suspect that it's related to the PCRE JIT. i.e. if you run it as root, the JIT can get executable memory. When you run it as a non-root user, the OS won't give the JIT executable memory.
Yes. Looks like PCRE2 with JIT needs selinux policies to work - disabling selinux will likely also fix the issue.
We had to put PCRE2 in because Rocky10 and Debian13 don't include PCRE1 any more. But the configure script then automatically picked that for the existing OSes as well.
We can likely patch the code, and issue RPMs of 3.2.8-1. I don't think there's a need for an official 3.2.9 yet.
Yeah, I'm working on 3.2.8-2 packages to flip it back to PCRE1.
Thanks Nick for debugging this one in detail.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html