freeradius will not start when SELINUX is enabled

Jorge Valdes jvaldes at ibw.com
Fri Jan 30 19:22:54 CET 2015 

Hi,

I use daemontool's supervise to manage the RADIUS service, and have been 
doing it for years. Now that I am migrating freeradius to another 
server, I am using Centos6 RPM to install the software versus compiling 
from source, and I am getting the following:

2015-01-30 10:52:42.518 server backbone { # from file 
etc/sites-enabled/backbone
2015-01-30 10:52:42.518  modules {
2015-01-30 10:52:42.518   Module: Creating Auth-Type = digest
2015-01-30 10:52:42.518  Module: Checking authenticate {...} for more 
modules to load
2015-01-30 10:52:42.518  Module: Linked to module rlm_digest
2015-01-30 10:52:42.518  Module: Instantiating module "digest" from file 
etc/modules/digest
2015-01-30 10:52:42.518  Module: Checking authorize {...} for more 
modules to load
2015-01-30 10:52:42.518  Module: Instantiating module "files_backbone" 
from file etc/radiusd.conf
2015-01-30 10:52:42.518   files files_backbone {
2015-01-30 10:52:42.518         usersfile = "etc/backbone/users"
2015-01-30 10:52:42.518         acctusersfile = "etc/backbone/acct_users"
2015-01-30 10:52:42.518         preproxy_usersfile = 
"etc/backbone/preproxy_users"
2015-01-30 10:52:42.518         compat = "no"
2015-01-30 10:52:42.518   }
2015-01-30 10:52:42.518 etc/backbone/users[171]: Could not open included 
file /home/crm/local-users/monitor: Permission denied
2015-01-30 10:52:42.519 Errors reading etc/backbone/users
2015-01-30 10:52:42.519 etc/radiusd.conf[681]: Instantiation failed for 
module "files_backbone"
2015-01-30 10:52:42.519 etc/sites-enabled/backbone[177]: Failed to load 
module "files_backbone".
2015-01-30 10:52:42.519 etc/sites-enabled/backbone[87]: Errors parsing 
authorize section.

After this, the program stops, and supervise tries again and again to 
restart, always failing here. I have double-checked permissions, and do 
not see where I could be denying

[root at dhcp1 radius]# ls -ld /home
drwxr-xr-x. 6 root root 4096 Jan 30 09:49 /home
[root at dhcp1 radius]# ls -ld /home/crm/
drwxr-xr-x. 7 crm crm 4096 Jan 30 10:22 /home/crm/
[root at dhcp1 radius]# ls -ld /home/crm/local-users/
drwxr-xr-x. 2 crm crm 4096 Nov 17  2010 /home/crm/local-users/
[root at dhcp1 radius]# ls -l /home/crm/local-users/
total 28
-rw-r--r--. 1 crm crm 253 Oct  8 15:25 admin
-rw-r--r--. 1 crm crm 252 Jan 21  2011 monitor
-rw-r--r--. 1 crm crm 943 Oct  8 15:25 noc
-rw-r--r--. 1 crm crm 131 Oct  8 15:25 ps
-rw-r--r--. 1 crm crm 668 Oct  8 15:25 super_tech
-rw-r--r--. 1 crm crm 436 Oct  8 15:25 vpn

Now, when I execute the server from the command-line manually, the 
server starts out without problems:

...
server backbone { # from file etc/sites-enabled/backbone
  modules {
   Module: Creating Auth-Type = digest
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_digest
  Module: Instantiating module "digest" from file etc/modules/digest
  Module: Checking authorize {...} for more modules to load
  Module: Instantiating module "files_backbone" from file etc/radiusd.conf
   files files_backbone {
         usersfile = "etc/backbone/users"
         acctusersfile = "etc/backbone/acct_users"
         preproxy_usersfile = "etc/backbone/preproxy_users"
         compat = "no"
   }
  Module: Checking preacct {...} for more modules to load
  Module: Checking accounting {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
} # server
...
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address * port 1645
Listening on accounting address * port 1646
Ready to process requests.

The only issue is that SELINUX is enabled. After I disabled SELINUX, and 
restarted the server, and now the service starts without issues. After 
looking at the audit log, I see that:

type=AVC msg=audit(1422637776.619:4172): avc:  denied  { search } for  
pid=9101 comm="radiusd" name="home" dev=dm-0 ino=261125 
scontext=system_u:system_r:radiusd_t:s0 
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1422637776.619:4172): arch=c000003e syscall=2 
success=no exit=-13 a0=7fffedebf240 a1=0 a2=1b6 a3=0 items=0 ppid=31859 
pid=9101 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" 
subj=system_u:system_r:radiusd_t:s0 key=(null)

So, access is being denied to /home.

Since my SELINUX knowledge is limited, I will run with SELINUX disabled, 
but I still do not understand why it would block access only on 
non-interactive executions.

Maybe there should be mention in the FAQ regarding configuration files 
residing inside /home, or that SELINUX can make the deamon fail to start 
due to targeted policies using non standard configuration settings.

-- 
Jorge Valdes

More information about the Freeradius-Users mailing list