SELinux and FreeRADIUS interplay
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Jul 13 19:24:03 CEST 2009
Hi,
> I recall running into this issue when the control socket was first added
> and my recollection is that I contacted our SELinux policy guru (Dan
> Walsh) to add support for it. However neither Dan nor myself has
> specific memories on this but we think it might have been for Fedora
> only (not RHEL) if it happened at all. Dan has promised me he will
> investigate and get back to me. I will follow up here at that time.
okay - here is the SELinux magic that gets it working. perhaps suitable
for WIKI etc. i'm very keen on things working with SELinuxx - its a good tool.
okay, after running radiusd a few times and finding out the reason
for the failure using audit2why < /var/log/audit/audit.log I built up a
local.te file - see attached. this is the 'foo' that SELinux needs for its
engine.
taking this local.te file i then created a suitable local module
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
the radiusd daemon now runs with the control_socket on. hurrah!
alan
-------------- next part --------------
module local 1.0;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file getattr;
}
#============= radiusd_t ==============
allow radiusd_t radiusd_var_run_t:sock_file getattr;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file unlink;
}
#============= radiusd_t ==============
allow radiusd_t radiusd_var_run_t:sock_file unlink;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file create;
}
#============= radiusd_t ==============
allow radiusd_t radiusd_var_run_t:sock_file create;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file setattr;
}
#============= radiusd_t ==============
allow radiusd_t radiusd_var_run_t:sock_file setattr;
More information about the Freeradius-Users
mailing list