2.1.1 - radiusd.sock - permission denied
Hi, I have installed FR2.1.1 onto a test server, built using the Fedora rawhide RPM source. No problems building and installing FR, but when I start FR it seems to immediately stop. The radius.log file just shows: Fri Sep 26 17:20:58 2008 : Error: Failed to stat /var/run/radiusd/radiusd.sock: Permission denied The ls command shows: ls -l /var/run/radiusd/radiusd.sock srw-rw---- 1 radiusd radiusd 0 Sep 26 16:53 /var/run/radiusd/radiusd.sock I have tried disabling selinux, and iptables, but they made no difference. Changing the permissions to 666 on the socket made no difference. Running 'radiusd -C' shows nothing, and 'radiusd -X' starts up okay. If I then use a different terminal I can run 'radmin' with no problem (which I gather uses the socket). The problem is, I can't see what permissions may be wrong. Anyone any ideas on this? John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 587001
On Fri, 2008-09-26 at 17:31 +0100, John Horne wrote:
Hi,
I have installed FR2.1.1 onto a test server, built using the Fedora rawhide RPM source. No problems building and installing FR, but when I start FR it seems to immediately stop. The radius.log file just shows:
Fri Sep 26 17:20:58 2008 : Error: Failed to stat /var/run/radiusd/radiusd.sock: Permission denied
The ls command shows:
ls -l /var/run/radiusd/radiusd.sock srw-rw---- 1 radiusd radiusd 0 Sep 26 16:53 /var/run/radiusd/radiusd.sock
I have tried disabling selinux, and iptables, but they made no difference. Changing the permissions to 666 on the socket made no difference. Running 'radiusd -C' shows nothing, and 'radiusd -X' starts up okay. If I then use a different terminal I can run 'radmin' with no problem (which I gather uses the socket).
The problem is, I can't see what permissions may be wrong. Anyone any ideas on this?
Sigh. It's always on a Friday afternoon that you get these problems, send the message to the list and then see what the problem is! :-) Okay, I deleted the socket and then tried starting FR; it failed but the log file showed: Fri Sep 26 17:41:37 2008 : Error: Failed binding to /var/run/radiusd/radiusd.sock: Permission denied Disabling selinux, and FR then started up okay. Strange because I had tried disabling selinux before. oh well. Setting the selinux boolean 'radiusd_disable_trans' to on, and enabling selinux, seems to allow FR to work. However, I'm not sure what these booleans actually do (or restrict). John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 587001
I have opened the following bugzilla to request the SELinux policy be updated to allow for the new unix domain socket: https://bugzilla.redhat.com/show_bug.cgi?id=464199 -- John Dennis <jdennis@redhat.com>
John Dennis wrote:
I have opened the following bugzilla to request the SELinux policy be updated to allow for the new unix domain socket:
This bug has now been fixed and closed, available in selinux-policy-3.5.9-2.fc10 -- John Dennis <jdennis@redhat.com>
John Horne wrote:
Hi,
I have installed FR2.1.1 onto a test server, built using the Fedora rawhide RPM source. No problems building and installing FR, but when I start FR it seems to immediately stop. The radius.log file just shows:
Fri Sep 26 17:20:58 2008 : Error: Failed to stat /var/run/radiusd/radiusd.sock: Permission denied
The ls command shows:
ls -l /var/run/radiusd/radiusd.sock srw-rw---- 1 radiusd radiusd 0 Sep 26 16:53 /var/run/radiusd/radiusd.sock
I have tried disabling selinux, and iptables, but they made no difference. Changing the permissions to 666 on the socket made no difference. Running 'radiusd -C' shows nothing, and 'radiusd -X' starts up okay. If I then use a different terminal I can run 'radmin' with no problem (which I gather uses the socket).
The problem is, I can't see what permissions may be wrong. Anyone any ideas on this?
The radiusd.sock is a new unix socket unknown to the SELinux policy for radius, thus if SELinux is enabled and in enforcing mode it will deny access. You can check if you're really enforcing by using this command. % getenforce If it says "Enforcing" then SELinux policy is going to deny access to this socket. You can turn it off via % setenforce 0 You can also verify this is your problem by grepping /var/log/audit/audit.log for AVC's, for example: % sudo grep AVC /var/log/audit/audit.log type=AVC msg=audit(1222447659.548:1457): avc: denied { unlink } for pid=17382 comm="radiusd" name="radiusd.sock" dev=sda6 ino=3156948 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1222447659.548:1458): avc: denied { create } for pid=17382 comm="radiusd" name="radiusd.sock" scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1222447659.548:1459): avc: denied { setattr } for pid=17382 comm="radiusd" name="radiusd.sock" dev=sda6 ino=3156948 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file This was with SELinux in permissive mode, the key things to look for are comm="radiusd" name="radiusd.sock" which says the command was radiusd and the name of the object was radiusd.sock. But because SELinux was in permissive mode everything worked, it just told you what it would have denied if it were enforcing. We need to update the SELinux policy to allow this new socket. If that's not the problem you're encountering then the only other thing I can think of is that you're not running the service from an effective uid of root. When the server starts up it will have a uid of root but then drop it's privileges to radiusd (not sure if the socket is created before or after the privilege drop). But I do know the socket creation code does check the socket's gid matches the processe's egid, if not it generates an error, but it's a different error message than what you're seeing. The error you're seeing is from the stat() call. I strongly suspect an SELinux denial. If SELinux is in permissive mode and you're still seeing this you might try manually removing /var/run/radiusd/radiusd.sock after stopping the service and then restart it and see if that resolves the problem. FWIW, I don't see this problem on my system. HTH, -- John Dennis <jdennis@redhat.com>
John Dennis wrote:
If that's not the problem you're encountering then the only other thing I can think of is that you're not running the service from an effective uid of root. When the server starts up it will have a uid of root but then drop it's privileges to radiusd (not sure if the socket is created before or after the privilege drop).
After. The privileges are dropped as soon as the configuration files have been read. Alan DeKok.
participants (3)
-
Alan DeKok -
John Dennis -
John Horne