Freeradius-Users Digest, Vol 122, Issue 104
firing neurons
firingneurons at mail.com
Sat Jul 18 19:01:55 CEST 2015
What is the best way to allow radiusd?
Will I have to add cutom policy for each type of access that is
blocked? Or is there a quick way that doesn't involve disabling
SElinux?
Message: 1
Date: Thu, 25 Jun 2015 13:34:14 +0000
From: Ben Gatewood <Ben.Gatewood at essensys.co.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: radiusd not starting at boot.
Message-ID: <4B8DA7A1-2801-4D0C-8FC7-1749BFB031EF at essensys.co.uk>
Content-Type: text/plain; charset="utf-8"
"SELinux is preventing radiusd from read access on the file
/etc/raddb/dictionary"
On 25/06/2015 14:28, "firing neurons" <firingneurons at mail.com> wrote:
> I am using 3.0.8.
>
> The result of service radiusd status:
>
> Redirecting to /bin/systemctl status -l radiusd.service
> ● radiusd.service - FreeRADIUS high performance RADIUS server.
> Loaded: loaded (/usr/lib/systemd/system/
> radiusd.service; enabled;
> vendor preset: disabled)
> Active: failed (Result: exit-code) since Fri 2015-06-26 00:08:14
> IST; 5h 24min left
> Process: 819 ExecStartPre=/usr/sbin/radiusd -C (code=exited,
> status=1/FAILURE)
> Process: 794 ExecStartPre=/bin/chown -R radiusd.radiusd
> /var/run/radiusd (code=exited, status=0/SUCCESS)
> Jun 26 00:08:11 localhost.localdomain systemd[1]: Starting FreeRADIUS
> high performance RADIUS server....
> Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service:
> control process exited, code=exited status=1
> Jun 26 00:08:14 localhost.localdomain systemd[1]: Failed to start
> FreeRADIUS high performance RADIUS server..
> Jun 26 00:08:14 localhost.localdomain systemd[1]: Unit
radiusd.service
> entered failed state.
> Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service
> failed.
>
> result of service radiusd start:
> Redirecting to /bin/systemctl start radiusd.service
> Job for radiusd.service failed. See "systemctl status
radiusd.service"
> and "journalctl -xe" for details.
> [cleardot.gif]
> result of journalctl -xe:
>
>
>Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is
>preventin
>g radiusd from read access on the file /etc/raddb/dictionary. For
>complete SELin
>ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is
preventing
>radius
>d from read access on the file /etc/raddb/dictionary.
>
> ***** Plugin
>restorecon (99
>.5 confidence) suggests ************************
>
> If you want to fix
>the label
>.
> /etc/raddb/dictionary
>defaul
>t label should be radiusd_etc_t.
> Then you can run
>restorecon.
> Do
> # /sbin/restorecon -v
>/etc/r
>addb/dictionary
>
> ***** Plugin
>catchall (1.49
> confidence) suggests **************************
>
> If you believe that
>radiusd
>should be allowed read access on the dictionary file by default.
> Then you should
>report this
>as a bug.
> You can generate a
>local pol
>icy module to allow this access.
> Do
> allow this access for
>now by
> executing:
> # grep radiusd
>/var/log/audi
>t/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is
>preventin
>g radiusd from read access on the file /etc/raddb/clients.conf. For
>complete SEL
>inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is
preventing
>radius
>d from read access on the file /etc/raddb/clients.conf.
>
> ***** Plugin
>restorecon (99
>.5 confidence) suggests ************************
>
> If you want to fix
>the label
>.
>
>/etc/raddb/clients.conf defa
>ult label should be radiusd_etc_t.
> Then you can run
>restorecon.
> Do
> # /sbin/restorecon -v
>/etc/r
>addb/clients.conf
>
> ***** Plugin
>catchall (1.49
> confidence) suggests **************************
>
> If you believe that
>radiusd
>should be allowed read access on the clients.conf file by default.
> Then you should
>report this
>as a bug.
> You can generate a
>local pol
>icy module to allow this access.
> Do
> allow this access for
>now by
> executing:
> # grep radiusd
>/var/log/audi
>t/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>Jun 25 18:50:56 localhost.localdomain polkitd[660]: Unregistered
>Authentication
>Agent for unix-process:2678:78843 (system bus name :1.64, object path
>/org/freed
>esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8)
(disconnected
>from bu
>s)
>Jun 25 18:51:00 localhost.localdomain polkitd[660]: Registered
>Authentication Ag
>ent for unix-process:2863:79253 (system bus name :1.65
>[/usr/bin/pkttyagent --no
>tify-fd 5 --fallback], object path
>/org/freedesktop/PolicyKit1/AuthenticationAge
>nt, locale en_IN.UTF-8)
>Jun 25 18:51:00 localhost.localdomain systemd[1]: Starting FreeRADIUS
>high perfo
>rmance RADIUS server....
>-- Subject: Unit radiusd.service has begun start-up
>-- Defined-By: systemd
>-- Support:
[1]http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>--
>-- Unit radiusd.service has begun starting up.
>Jun 25 18:51:00 localhost.localdomain audit[2886]: <audit-1400> avc:
>denied {
>sys_ptrace } for pid=2886 comm="radiusd" capability=19
>scontext=system_u:syste
>m_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0
>tclass=capability permi
>ssive=0
>Jun 25 18:51:00 localhost.localdomain kernel: ptrace of pid 2885 was
>attempted b
>y: radiusd (pid 2886)
>Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc:
>denied {
>read } for pid=2885 comm="radiusd" name="dictionary" dev="dm-1"
>ino=1711521 sco
>ntext=system_u:system_r:radiusd_t:s0
>tcontext=unconfined_u:object_r:user_home_t:
>s0 tclass=file permissive=0
>Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc:
>denied {
>read } for pid=2885 comm="radiusd" name="clients.conf" dev="dm-1"
>ino=1711520 s
>context=system_u:system_r:radiusd_t:s0
>tcontext=unconfined_u:object_r:user_home_
>t:s0 tclass=file permissive=0
>Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service:
>control proce
>ss exited, code=exited status=1
>Jun 25 18:51:00 localhost.localdomain systemd[1]: Failed to start
>FreeRADIUS hig
>h performance RADIUS server..
>-- Subject: Unit radiusd.service has failed
>-- Defined-By: systemd
>-- Support:
[2]http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>--
>-- Unit radiusd.service has failed.
>--
>-- The result is failed.
>Jun 25 18:51:00 localhost.localdomain systemd[1]: Unit radiusd.service
>entered f
>ailed state.
>Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service
failed.
>Jun 25 18:51:00 localhost.localdomain audit[1]: <audit-1130> pid=1
uid=0
>auid=42
>94967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>msg='unit=radiusd comm=
>"systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>res=failed
>'
>Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is
>preventin
>g radiusd from using the sys_ptrace capability. For complete SELinux
>messages. r
>un sealert -l cac781eb-1cae-4673-b684-6308a2c7ff2b
>Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is
preventing
>radius
>d from using the sys_ptrace capability.
>
> ***** Plugin
>catchall (100.
> confidence) suggests **************************
>
> If you believe that
>radiusd
>should have the sys_ptrace capability by default.
> Then you should
>report this
>as a bug.
> You can generate a
>local pol
>icy module to allow this access.
> Do
> allow this access for
>now by
> executing:
> # grep radiusd
>/var/log/audi
>t/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is
>preventin
>g radiusd from read access on the file /etc/raddb/dictionary. For
>complete SELin
>ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is
preventing
>radius
>d from read access on the file /etc/raddb/dictionary.
>
> ***** Plugin
>restorecon (99
>.5 confidence) suggests ************************
>
> If you want to fix
>the label
>.
> /etc/raddb/dictionary
>defaul
>t label should be radiusd_etc_t.
> Then you can run
>restorecon.
> Do
> # /sbin/restorecon -v
>/etc/r
>addb/dictionary
>
> ***** Plugin
>catchall (1.49
> confidence) suggests **************************
>
> If you believe that
>radiusd
>should be allowed read access on the dictionary file by default.
> Then you should
>report this
>as a bug.
> You can generate a
>local pol
>icy module to allow this access.
> Do
> allow this access for
>now by
> executing:
> # grep radiusd
>/var/log/audi
>t/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is
>preventin
>g radiusd from read access on the file /etc/raddb/clients.conf. For
>complete SEL
>inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is
preventing
>radius
>d from read access on the file /etc/raddb/clients.conf.
>
> ***** Plugin
>restorecon (99
>.5 confidence) suggests ************************
>
> If you want to fix
>the label
>.
>
>/etc/raddb/clients.conf defa
>ult label should be radiusd_etc_t.
> Then you can run
>restorecon.
> Do
> # /sbin/restorecon -v
>/etc/r
>addb/clients.conf
>
> ***** Plugin
>catchall (1.49
> confidence) suggests **************************
>
> If you believe that
>radiusd
>should be allowed read access on the clients.conf file by default.
> Then you should
>report this
>as a bug.
> You can generate a
>local pol
>icy module to allow this access.
> Do
> allow this access for
>now by
> executing:
> # grep radiusd
>/var/log/audi
>t/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>Jun 25 18:51:01 localhost.localdomain polkitd[660]: Unregistered
>Authentication
>Agent for unix-process:2863:79253 (system bus name :1.65, object path
>/org/freed
>esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8)
(disconnected
>from bu
>s)
>-
>List info/subscribe/unsubscribe? See
>[3]http://www.freeradius.org/list/users.html
------------------------------
References
1. http://lists.freedesktop.org/mailman/listinfo/systemd-devel
2. http://lists.freedesktop.org/mailman/listinfo/systemd-devel
3. http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list