Freeradius-Users Digest, Vol 122, Issue 104

firing neurons firingneurons at mail.com
Sat Jul 18 19:01:55 CEST 2015


   What is the best way to allow radiusd?

   Will I have to add cutom policy for each type of access that is
   blocked? Or is there a quick way that doesn't involve disabling
   SElinux?

   Message: 1
   Date: Thu, 25 Jun 2015 13:34:14 +0000
   From: Ben Gatewood <Ben.Gatewood at essensys.co.uk>
   To: FreeRadius users mailing list
   <freeradius-users at lists.freeradius.org>
   Subject: Re: radiusd not starting at boot.
   Message-ID: <4B8DA7A1-2801-4D0C-8FC7-1749BFB031EF at essensys.co.uk>
   Content-Type: text/plain; charset="utf-8"
   "SELinux is preventing radiusd from read access on the file
   /etc/raddb/dictionary"
   On 25/06/2015 14:28, "firing neurons" <firingneurons at mail.com> wrote:
   > I am using 3.0.8.
   >
   > The result of service radiusd status:
   >
   > Redirecting to /bin/systemctl status -l radiusd.service
   > ● radiusd.service - FreeRADIUS high performance RADIUS server.
   > Loaded: loaded (/usr/lib/systemd/system/
   > radiusd.service; enabled;
   > vendor preset: disabled)
   > Active: failed (Result: exit-code) since Fri 2015-06-26 00:08:14
   > IST; 5h 24min left
   > Process: 819 ExecStartPre=/usr/sbin/radiusd -C (code=exited,
   > status=1/FAILURE)
   > Process: 794 ExecStartPre=/bin/chown -R radiusd.radiusd
   > /var/run/radiusd (code=exited, status=0/SUCCESS)
   > Jun 26 00:08:11 localhost.localdomain systemd[1]: Starting FreeRADIUS
   > high performance RADIUS server....
   > Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service:
   > control process exited, code=exited status=1
   > Jun 26 00:08:14 localhost.localdomain systemd[1]: Failed to start
   > FreeRADIUS high performance RADIUS server..
   > Jun 26 00:08:14 localhost.localdomain systemd[1]: Unit
   radiusd.service
   > entered failed state.
   > Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service
   > failed.
   >
   > result of service radiusd start:
   > Redirecting to /bin/systemctl start radiusd.service
   > Job for radiusd.service failed. See "systemctl status
   radiusd.service"
   > and "journalctl -xe" for details.
   > [cleardot.gif]
   > result of journalctl -xe:
   >
   >
   >Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is
   >preventin
   >g radiusd from read access on the file /etc/raddb/dictionary. For
   >complete SELin
   >ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
   >Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is
   preventing
   >radius
   >d from read access on the file /etc/raddb/dictionary.
   >
   > ***** Plugin
   >restorecon (99
   >.5 confidence) suggests ************************
   >
   > If you want to fix
   >the label
   >.
   > /etc/raddb/dictionary
   >defaul
   >t label should be radiusd_etc_t.
   > Then you can run
   >restorecon.
   > Do
   > # /sbin/restorecon -v
   >/etc/r
   >addb/dictionary
   >
   > ***** Plugin
   >catchall (1.49
   > confidence) suggests **************************
   >
   > If you believe that
   >radiusd
   >should be allowed read access on the dictionary file by default.
   > Then you should
   >report this
   >as a bug.
   > You can generate a
   >local pol
   >icy module to allow this access.
   > Do
   > allow this access for
   >now by
   > executing:
   > # grep radiusd
   >/var/log/audi
   >t/audit.log | audit2allow -M mypol
   > # semodule -i mypol.pp
   >
   >Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is
   >preventin
   >g radiusd from read access on the file /etc/raddb/clients.conf. For
   >complete SEL
   >inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
   >Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is
   preventing
   >radius
   >d from read access on the file /etc/raddb/clients.conf.
   >
   > ***** Plugin
   >restorecon (99
   >.5 confidence) suggests ************************
   >
   > If you want to fix
   >the label
   >.
   >
   >/etc/raddb/clients.conf defa
   >ult label should be radiusd_etc_t.
   > Then you can run
   >restorecon.
   > Do
   > # /sbin/restorecon -v
   >/etc/r
   >addb/clients.conf
   >
   > ***** Plugin
   >catchall (1.49
   > confidence) suggests **************************
   >
   > If you believe that
   >radiusd
   >should be allowed read access on the clients.conf file by default.
   > Then you should
   >report this
   >as a bug.
   > You can generate a
   >local pol
   >icy module to allow this access.
   > Do
   > allow this access for
   >now by
   > executing:
   > # grep radiusd
   >/var/log/audi
   >t/audit.log | audit2allow -M mypol
   > # semodule -i mypol.pp
   >
   >Jun 25 18:50:56 localhost.localdomain polkitd[660]: Unregistered
   >Authentication
   >Agent for unix-process:2678:78843 (system bus name :1.64, object path
   >/org/freed
   >esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8)
   (disconnected
   >from bu
   >s)
   >Jun 25 18:51:00 localhost.localdomain polkitd[660]: Registered
   >Authentication Ag
   >ent for unix-process:2863:79253 (system bus name :1.65
   >[/usr/bin/pkttyagent --no
   >tify-fd 5 --fallback], object path
   >/org/freedesktop/PolicyKit1/AuthenticationAge
   >nt, locale en_IN.UTF-8)
   >Jun 25 18:51:00 localhost.localdomain systemd[1]: Starting FreeRADIUS
   >high perfo
   >rmance RADIUS server....
   >-- Subject: Unit radiusd.service has begun start-up
   >-- Defined-By: systemd
   >-- Support:
   [1]http://lists.freedesktop.org/mailman/listinfo/systemd-devel
   >--
   >-- Unit radiusd.service has begun starting up.
   >Jun 25 18:51:00 localhost.localdomain audit[2886]: <audit-1400> avc:
   >denied {
   >sys_ptrace } for pid=2886 comm="radiusd" capability=19
   >scontext=system_u:syste
   >m_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0
   >tclass=capability permi
   >ssive=0
   >Jun 25 18:51:00 localhost.localdomain kernel: ptrace of pid 2885 was
   >attempted b
   >y: radiusd (pid 2886)
   >Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc:
   >denied {
   >read } for pid=2885 comm="radiusd" name="dictionary" dev="dm-1"
   >ino=1711521 sco
   >ntext=system_u:system_r:radiusd_t:s0
   >tcontext=unconfined_u:object_r:user_home_t:
   >s0 tclass=file permissive=0
   >Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc:
   >denied {
   >read } for pid=2885 comm="radiusd" name="clients.conf" dev="dm-1"
   >ino=1711520 s
   >context=system_u:system_r:radiusd_t:s0
   >tcontext=unconfined_u:object_r:user_home_
   >t:s0 tclass=file permissive=0
   >Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service:
   >control proce
   >ss exited, code=exited status=1
   >Jun 25 18:51:00 localhost.localdomain systemd[1]: Failed to start
   >FreeRADIUS hig
   >h performance RADIUS server..
   >-- Subject: Unit radiusd.service has failed
   >-- Defined-By: systemd
   >-- Support:
   [2]http://lists.freedesktop.org/mailman/listinfo/systemd-devel
   >--
   >-- Unit radiusd.service has failed.
   >--
   >-- The result is failed.
   >Jun 25 18:51:00 localhost.localdomain systemd[1]: Unit radiusd.service
   >entered f
   >ailed state.
   >Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service
   failed.
   >Jun 25 18:51:00 localhost.localdomain audit[1]: <audit-1130> pid=1
   uid=0
   >auid=42
   >94967295 ses=4294967295 subj=system_u:system_r:init_t:s0
   >msg='unit=radiusd comm=
   >"systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
   >res=failed
   >'
   >Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is
   >preventin
   >g radiusd from using the sys_ptrace capability. For complete SELinux
   >messages. r
   >un sealert -l cac781eb-1cae-4673-b684-6308a2c7ff2b
   >Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is
   preventing
   >radius
   >d from using the sys_ptrace capability.
   >
   > ***** Plugin
   >catchall (100.
   > confidence) suggests **************************
   >
   > If you believe that
   >radiusd
   >should have the sys_ptrace capability by default.
   > Then you should
   >report this
   >as a bug.
   > You can generate a
   >local pol
   >icy module to allow this access.
   > Do
   > allow this access for
   >now by
   > executing:
   > # grep radiusd
   >/var/log/audi
   >t/audit.log | audit2allow -M mypol
   > # semodule -i mypol.pp
   >
   >Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is
   >preventin
   >g radiusd from read access on the file /etc/raddb/dictionary. For
   >complete SELin
   >ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
   >Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is
   preventing
   >radius
   >d from read access on the file /etc/raddb/dictionary.
   >
   > ***** Plugin
   >restorecon (99
   >.5 confidence) suggests ************************
   >
   > If you want to fix
   >the label
   >.
   > /etc/raddb/dictionary
   >defaul
   >t label should be radiusd_etc_t.
   > Then you can run
   >restorecon.
   > Do
   > # /sbin/restorecon -v
   >/etc/r
   >addb/dictionary
   >
   > ***** Plugin
   >catchall (1.49
   > confidence) suggests **************************
   >
   > If you believe that
   >radiusd
   >should be allowed read access on the dictionary file by default.
   > Then you should
   >report this
   >as a bug.
   > You can generate a
   >local pol
   >icy module to allow this access.
   > Do
   > allow this access for
   >now by
   > executing:
   > # grep radiusd
   >/var/log/audi
   >t/audit.log | audit2allow -M mypol
   > # semodule -i mypol.pp
   >
   >Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is
   >preventin
   >g radiusd from read access on the file /etc/raddb/clients.conf. For
   >complete SEL
   >inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
   >Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is
   preventing
   >radius
   >d from read access on the file /etc/raddb/clients.conf.
   >
   > ***** Plugin
   >restorecon (99
   >.5 confidence) suggests ************************
   >
   > If you want to fix
   >the label
   >.
   >
   >/etc/raddb/clients.conf defa
   >ult label should be radiusd_etc_t.
   > Then you can run
   >restorecon.
   > Do
   > # /sbin/restorecon -v
   >/etc/r
   >addb/clients.conf
   >
   > ***** Plugin
   >catchall (1.49
   > confidence) suggests **************************
   >
   > If you believe that
   >radiusd
   >should be allowed read access on the clients.conf file by default.
   > Then you should
   >report this
   >as a bug.
   > You can generate a
   >local pol
   >icy module to allow this access.
   > Do
   > allow this access for
   >now by
   > executing:
   > # grep radiusd
   >/var/log/audi
   >t/audit.log | audit2allow -M mypol
   > # semodule -i mypol.pp
   >
   >Jun 25 18:51:01 localhost.localdomain polkitd[660]: Unregistered
   >Authentication
   >Agent for unix-process:2863:79253 (system bus name :1.65, object path
   >/org/freed
   >esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8)
   (disconnected
   >from bu
   >s)
   >-
   >List info/subscribe/unsubscribe? See
   >[3]http://www.freeradius.org/list/users.html
   ------------------------------

References

   1. http://lists.freedesktop.org/mailman/listinfo/systemd-devel
   2. http://lists.freedesktop.org/mailman/listinfo/systemd-devel
   3. http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list