freeradius will not start when SELINUX is enabled
Hi, I use daemontool's supervise to manage the RADIUS service, and have been doing it for years. Now that I am migrating freeradius to another server, I am using Centos6 RPM to install the software versus compiling from source, and I am getting the following: 2015-01-30 10:52:42.518 server backbone { # from file etc/sites-enabled/backbone 2015-01-30 10:52:42.518 modules { 2015-01-30 10:52:42.518 Module: Creating Auth-Type = digest 2015-01-30 10:52:42.518 Module: Checking authenticate {...} for more modules to load 2015-01-30 10:52:42.518 Module: Linked to module rlm_digest 2015-01-30 10:52:42.518 Module: Instantiating module "digest" from file etc/modules/digest 2015-01-30 10:52:42.518 Module: Checking authorize {...} for more modules to load 2015-01-30 10:52:42.518 Module: Instantiating module "files_backbone" from file etc/radiusd.conf 2015-01-30 10:52:42.518 files files_backbone { 2015-01-30 10:52:42.518 usersfile = "etc/backbone/users" 2015-01-30 10:52:42.518 acctusersfile = "etc/backbone/acct_users" 2015-01-30 10:52:42.518 preproxy_usersfile = "etc/backbone/preproxy_users" 2015-01-30 10:52:42.518 compat = "no" 2015-01-30 10:52:42.518 } 2015-01-30 10:52:42.518 etc/backbone/users[171]: Could not open included file /home/crm/local-users/monitor: Permission denied 2015-01-30 10:52:42.519 Errors reading etc/backbone/users 2015-01-30 10:52:42.519 etc/radiusd.conf[681]: Instantiation failed for module "files_backbone" 2015-01-30 10:52:42.519 etc/sites-enabled/backbone[177]: Failed to load module "files_backbone". 2015-01-30 10:52:42.519 etc/sites-enabled/backbone[87]: Errors parsing authorize section. After this, the program stops, and supervise tries again and again to restart, always failing here. I have double-checked permissions, and do not see where I could be denying [root@dhcp1 radius]# ls -ld /home drwxr-xr-x. 6 root root 4096 Jan 30 09:49 /home [root@dhcp1 radius]# ls -ld /home/crm/ drwxr-xr-x. 7 crm crm 4096 Jan 30 10:22 /home/crm/ [root@dhcp1 radius]# ls -ld /home/crm/local-users/ drwxr-xr-x. 2 crm crm 4096 Nov 17 2010 /home/crm/local-users/ [root@dhcp1 radius]# ls -l /home/crm/local-users/ total 28 -rw-r--r--. 1 crm crm 253 Oct 8 15:25 admin -rw-r--r--. 1 crm crm 252 Jan 21 2011 monitor -rw-r--r--. 1 crm crm 943 Oct 8 15:25 noc -rw-r--r--. 1 crm crm 131 Oct 8 15:25 ps -rw-r--r--. 1 crm crm 668 Oct 8 15:25 super_tech -rw-r--r--. 1 crm crm 436 Oct 8 15:25 vpn Now, when I execute the server from the command-line manually, the server starts out without problems: ... server backbone { # from file etc/sites-enabled/backbone modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file etc/modules/digest Module: Checking authorize {...} for more modules to load Module: Instantiating module "files_backbone" from file etc/radiusd.conf files files_backbone { usersfile = "etc/backbone/users" acctusersfile = "etc/backbone/acct_users" preproxy_usersfile = "etc/backbone/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address * port 1645 Listening on accounting address * port 1646 Ready to process requests. The only issue is that SELINUX is enabled. After I disabled SELINUX, and restarted the server, and now the service starts without issues. After looking at the audit log, I see that: type=AVC msg=audit(1422637776.619:4172): avc: denied { search } for pid=9101 comm="radiusd" name="home" dev=dm-0 ino=261125 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1422637776.619:4172): arch=c000003e syscall=2 success=no exit=-13 a0=7fffedebf240 a1=0 a2=1b6 a3=0 items=0 ppid=31859 pid=9101 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) So, access is being denied to /home. Since my SELINUX knowledge is limited, I will run with SELINUX disabled, but I still do not understand why it would block access only on non-interactive executions. Maybe there should be mention in the FAQ regarding configuration files residing inside /home, or that SELINUX can make the deamon fail to start due to targeted policies using non standard configuration settings. -- Jorge Valdes
SELINUX can cause many things to fail You've seen that is selinux doing this.... and you are reading in files from non standard Latins l locations so now you need to find out why User the audit2why tool etc and also look at the file permissions correctly (ls -lZ .... ie look at the extended permissions) Heck maybe even just a restorecon -Rv on that home directory would be enough. Especially if the files have been copied from elsewhere This issue is true for ALL packages on such systems not from the distributing repository alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (2)
-
Alan Buxey -
Jorge Valdes