Re: Freeradius-Users Digest, Vol 122, Issue 104
What is the best way to allow radiusd? Will I have to add cutom policy for each type of access that is blocked? Or is there a quick way that doesn't involve disabling SElinux? Message: 1 Date: Thu, 25 Jun 2015 13:34:14 +0000 From: Ben Gatewood <Ben.Gatewood@essensys.co.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: radiusd not starting at boot. Message-ID: <4B8DA7A1-2801-4D0C-8FC7-1749BFB031EF@essensys.co.uk> Content-Type: text/plain; charset="utf-8" "SELinux is preventing radiusd from read access on the file /etc/raddb/dictionary" On 25/06/2015 14:28, "firing neurons" <firingneurons@mail.com> wrote:
I am using 3.0.8.
The result of service radiusd status:
Redirecting to /bin/systemctl status -l radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/ radiusd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2015-06-26 00:08:14 IST; 5h 24min left Process: 819 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=1/FAILURE) Process: 794 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS) Jun 26 00:08:11 localhost.localdomain systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service: control process exited, code=exited status=1 Jun 26 00:08:14 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server.. Jun 26 00:08:14 localhost.localdomain systemd[1]: Unit radiusd.service entered failed state. Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service failed.
result of service radiusd start: Redirecting to /bin/systemctl start radiusd.service Job for radiusd.service failed. See "systemctl status radiusd.service" and "journalctl -xe" for details. [cleardot.gif] result of journalctl -xe:
Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is preventin g radiusd from read access on the file /etc/raddb/dictionary. For complete SELin ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14 Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is preventing radius d from read access on the file /etc/raddb/dictionary.
***** Plugin restorecon (99 .5 confidence) suggests ************************
If you want to fix the label . /etc/raddb/dictionary defaul t label should be radiusd_etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/r addb/dictionary
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that radiusd should be allowed read access on the dictionary file by default. Then you should report this as a bug. You can generate a local pol icy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audi t/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is preventin g radiusd from read access on the file /etc/raddb/clients.conf. For complete SEL inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14 Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is preventing radius d from read access on the file /etc/raddb/clients.conf.
***** Plugin restorecon (99 .5 confidence) suggests ************************
If you want to fix the label .
/etc/raddb/clients.conf defa ult label should be radiusd_etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/r addb/clients.conf
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that radiusd should be allowed read access on the clients.conf file by default. Then you should report this as a bug. You can generate a local pol icy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audi t/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Jun 25 18:50:56 localhost.localdomain polkitd[660]: Unregistered Authentication Agent for unix-process:2678:78843 (system bus name :1.64, object path /org/freed esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8) (disconnected from bu s) Jun 25 18:51:00 localhost.localdomain polkitd[660]: Registered Authentication Ag ent for unix-process:2863:79253 (system bus name :1.65 [/usr/bin/pkttyagent --no tify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAge nt, locale en_IN.UTF-8) Jun 25 18:51:00 localhost.localdomain systemd[1]: Starting FreeRADIUS high perfo rmance RADIUS server.... -- Subject: Unit radiusd.service has begun start-up -- Defined-By: systemd -- Support: [1]http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit radiusd.service has begun starting up. Jun 25 18:51:00 localhost.localdomain audit[2886]: <audit-1400> avc: denied { sys_ptrace } for pid=2886 comm="radiusd" capability=19 scontext=system_u:syste m_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=capability permi ssive=0 Jun 25 18:51:00 localhost.localdomain kernel: ptrace of pid 2885 was attempted b y: radiusd (pid 2886) Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc: denied { read } for pid=2885 comm="radiusd" name="dictionary" dev="dm-1" ino=1711521 sco ntext=system_u:system_r:radiusd_t:s0 tcontext=unconfined_u:object_r:user_home_t: s0 tclass=file permissive=0 Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc: denied { read } for pid=2885 comm="radiusd" name="clients.conf" dev="dm-1" ino=1711520 s context=system_u:system_r:radiusd_t:s0 tcontext=unconfined_u:object_r:user_home_ t:s0 tclass=file permissive=0 Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service: control proce ss exited, code=exited status=1 Jun 25 18:51:00 localhost.localdomain systemd[1]: Failed to start FreeRADIUS hig h performance RADIUS server.. -- Subject: Unit radiusd.service has failed -- Defined-By: systemd -- Support: [2]http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit radiusd.service has failed. -- -- The result is failed. Jun 25 18:51:00 localhost.localdomain systemd[1]: Unit radiusd.service entered f ailed state. Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service failed. Jun 25 18:51:00 localhost.localdomain audit[1]: <audit-1130> pid=1 uid=0 auid=42 94967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=radiusd comm= "systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed ' Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is preventin g radiusd from using the sys_ptrace capability. For complete SELinux messages. r un sealert -l cac781eb-1cae-4673-b684-6308a2c7ff2b Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is preventing radius d from using the sys_ptrace capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that radiusd should have the sys_ptrace capability by default. Then you should report this as a bug. You can generate a local pol icy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audi t/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is preventin g radiusd from read access on the file /etc/raddb/dictionary. For complete SELin ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14 Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is preventing radius d from read access on the file /etc/raddb/dictionary.
***** Plugin restorecon (99 .5 confidence) suggests ************************
If you want to fix the label . /etc/raddb/dictionary defaul t label should be radiusd_etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/r addb/dictionary
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that radiusd should be allowed read access on the dictionary file by default. Then you should report this as a bug. You can generate a local pol icy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audi t/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is preventin g radiusd from read access on the file /etc/raddb/clients.conf. For complete SEL inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14 Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is preventing radius d from read access on the file /etc/raddb/clients.conf.
***** Plugin restorecon (99 .5 confidence) suggests ************************
If you want to fix the label .
/etc/raddb/clients.conf defa ult label should be radiusd_etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/r addb/clients.conf
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that radiusd should be allowed read access on the clients.conf file by default. Then you should report this as a bug. You can generate a local pol icy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audi t/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Jun 25 18:51:01 localhost.localdomain polkitd[660]: Unregistered Authentication Agent for unix-process:2863:79253 (system bus name :1.65, object path /org/freed esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8) (disconnected from bu s) - List info/subscribe/unsubscribe? See [3]http://www.freeradius.org/list/users.html
References 1. http://lists.freedesktop.org/mailman/listinfo/systemd-devel 2. http://lists.freedesktop.org/mailman/listinfo/systemd-devel 3. http://www.freeradius.org/list/users.html
What is the best way to allow radiusd?
The standard SELinux policy contains bits for RADIUS, primarily for the ports. Which version of RHEL/CentOS and which version of FR are you using? More info will be more useful. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Sat, 2015-07-18 at 19:01 +0200, firing neurons wrote:
Will I have to add cutom policy for each type of access that is blocked? Or is there a quick way that doesn't involve disabling SElinux?
Is this installed from an RPM? If so, you've broken the configuration. Try to avoid doing that. As the error message says you can run restorecon to correctly label the filesystem. Do it on the whole directory: # restorecon -v -r /path/to/directory If that doesn't work, you'll need to apply the types manually with chcon, e.g.: # chcon -R -t radiusd_etc_t /path/to/directory -- Regards, Adam Bishop gpg: 0x6609D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
participants (3)
-
Adam Bishop -
firing neurons -
Stefan Paetow