rlm_ippool does not create DB and IDX files

John Dennis jdennis at redhat.com
Wed Jan 2 15:52:49 CET 2013

There was a thread back on April 18th with the subject "rlm_ippool does 
not create DB and IDX files"

There were several incorrect statements and assumptions in that thread 
culminating in "it's a SELinux problem". Nope, it's not a SELinux problem.

The fundamental problem is db_dir is set in /etc/raddb/radiusd.conf to 
/etc/raddb. This is incorrect, in fact the comment above the 
initialization of db_dir

# Should likely be ${localstatedir}/lib/radiusd

is exactly correct, it should be /var/lib/radiusd, why?

1) Files under /etc are supposed to be configuration files only

2) The directory /etc/raddb is writable only by root, the radiusd daemon 
is drops root privileges and runs as radiusd:radiusd (by default).

3) Database files are supposed to be located under /var/lib/{application}

In the aforementioned thread the user apparently changed the ownership 
of /etc/raddb and the user:group the daemon was running under creating 
disinformation. If SELinux denied creating the db files under /etc/raddb 
after hacking the ownership and permissions then SELinux in fact 
operated correctly, you're not supposed to create/write database files 
under /etc, that violates the rules for what belongs under /etc.

Instead /etc/raddb should have this line:

db_dir = ${localstatedir}/lib/radiusd

This has been reported as a configuration bug for Red Hat in:


The above bug report also contains some additional information.

John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list