*sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. On Tue, Mar 29, 2011 at 2:16 PM, John Dennis <jdennis@redhat.com> wrote:
On 03/29/2011 03:09 PM, Christopher Athans wrote:
Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective.
I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = "/etc/raddb/otpverify.sh" statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d
radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works
When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied
In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package.
My linux platform and freeradius information is as follows:
CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu.
Thanks for any assistance with this.
Is SELinux enabled?
% getenforce
If it's enforcing then set it to permissive mode
% setenforce 0
Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log?
Not the problem? Then verify the script can run as the radiusd user.
-- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/