2.1.1 - radiusd.sock - permission denied

John Dennis jdennis at redhat.com
Fri Sep 26 19:13:31 CEST 2008 

John Horne wrote:
> Hi,
>
> I have installed FR2.1.1 onto a test server, built using the Fedora
> rawhide RPM source. No problems building and installing FR, but when I
> start FR it seems to immediately stop. The radius.log file just shows:
>
>    Fri Sep 26 17:20:58 2008 : Error: Failed to
>    stat /var/run/radiusd/radiusd.sock: Permission denied
>
> The ls command shows:
>
>    ls -l /var/run/radiusd/radiusd.sock
>    srw-rw---- 1 radiusd radiusd 0 Sep 26
>                     16:53 /var/run/radiusd/radiusd.sock
>
> I have tried disabling selinux, and iptables, but they made no
> difference. Changing the permissions to 666 on the socket made no
> difference.
> Running 'radiusd -C' shows nothing, and 'radiusd -X' starts up okay. If
> I then use a different terminal I can run 'radmin' with no problem
> (which I gather uses the socket).
>
> The problem is, I can't see what permissions may be wrong. Anyone any
> ideas on this?
>   
The radiusd.sock is a new unix socket unknown to the SELinux policy for 
radius, thus if SELinux is enabled and in enforcing mode it will deny 
access. You can check if you're really enforcing by using this command.

% getenforce

If it says "Enforcing" then SELinux policy is going to deny access to 
this socket. You can turn it off via

% setenforce 0

You can also verify this is your problem by grepping 
/var/log/audit/audit.log for AVC's, for example:

% sudo grep AVC /var/log/audit/audit.log

type=AVC msg=audit(1222447659.548:1457): avc:  denied  { unlink } for  
pid=17382 comm="radiusd" name="radiusd.sock" dev=sda6 ino=3156948 
scontext=unconfined_u:system_r:radiusd_t:s0 
tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1222447659.548:1458): avc:  denied  { create } for  
pid=17382 comm="radiusd" name="radiusd.sock" 
scontext=unconfined_u:system_r:radiusd_t:s0 
tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1222447659.548:1459): avc:  denied  { setattr } for  
pid=17382 comm="radiusd" name="radiusd.sock" dev=sda6 ino=3156948 
scontext=unconfined_u:system_r:radiusd_t:s0 
tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file

This was with SELinux in permissive mode, the key things to look for are 
comm="radiusd" name="radiusd.sock" which says the command was radiusd 
and the name of the object was radiusd.sock.

But because SELinux was in permissive mode everything worked, it just 
told you what it would have denied if it were enforcing.

We need to update the SELinux policy to allow this new socket.

If that's not the problem you're encountering then the only other thing 
I can think of is that you're not running the service from an effective 
uid of root. When the server starts up it will have a uid of root but 
then drop it's privileges to radiusd (not sure if the socket is created 
before or after the privilege drop). But I do know the socket creation 
code does check the socket's gid matches the processe's egid, if not it 
generates an error, but it's a different error message than what you're 
seeing. The error you're seeing is from the stat() call. I strongly 
suspect an SELinux denial. If SELinux is in permissive mode and you're 
still seeing this you might try manually removing 
/var/run/radiusd/radiusd.sock after stopping the service and then 
restart it and see if that resolves the problem.

FWIW, I don't see this problem on my system.

HTH,

-- 
John Dennis <jdennis at redhat.com>

More information about the Freeradius-Users mailing list