radiusd not starting at boot.

Ben Gatewood Ben.Gatewood at essensys.co.uk
Thu Jun 25 15:34:14 CEST 2015


"SELinux is preventing radiusd from read access on the file 
/etc/raddb/dictionary"




On 25/06/2015 14:28, "firing neurons" <firingneurons at mail.com> wrote:

>   I am using 3.0.8.
>
>   The result of service radiusd status:
>
>   Redirecting to /bin/systemctl status  -l radiusd.service
>   ● radiusd.service - FreeRADIUS high performance RADIUS server.
>      Loaded: loaded (/usr/lib/systemd/system/
>   radiusd.service; enabled;
>   vendor preset: disabled)
>      Active: failed (Result: exit-code) since Fri 2015-06-26 00:08:14
>   IST; 5h 24min left
>     Process: 819 ExecStartPre=/usr/sbin/radiusd -C (code=exited,
>   status=1/FAILURE)
>     Process: 794 ExecStartPre=/bin/chown -R radiusd.radiusd
>   /var/run/radiusd (code=exited, status=0/SUCCESS)
>   Jun 26 00:08:11 localhost.localdomain systemd[1]: Starting FreeRADIUS
>   high performance RADIUS server....
>   Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service:
>   control process exited, code=exited status=1
>   Jun 26 00:08:14 localhost.localdomain systemd[1]: Failed to start
>   FreeRADIUS high performance RADIUS server..
>   Jun 26 00:08:14 localhost.localdomain systemd[1]: Unit radiusd.service
>   entered failed state.
>   Jun 26 00:08:14 localhost.localdomain systemd[1]: radiusd.service
>   failed.
>
>   result of service radiusd start:
>   Redirecting to /bin/systemctl start  radiusd.service
>   Job for radiusd.service failed. See "systemctl status radiusd.service"
>   and "journalctl -xe" for details.
>   [cleardot.gif]
>   result of journalctl -xe:
>
>
>Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is 
>preventin
>g radiusd from read access on the file /etc/raddb/dictionary. For 
>complete SELin
>ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is preventing 
>radius
>d from read access on the file /etc/raddb/dictionary.
>
>                                                    *****  Plugin 
>restorecon (99
>.5 confidence) suggests   ************************
>
>                                                    If you want to fix 
>the label
>.
>                                                    /etc/raddb/dictionary 
>defaul
>t label should be radiusd_etc_t.
>                                                    Then you can run 
>restorecon.
>                                                    Do
>                                                    # /sbin/restorecon -v 
>/etc/r
>addb/dictionary
>
>                                                    *****  Plugin 
>catchall (1.49
> confidence) suggests   **************************
>
>                                                    If you believe that 
>radiusd
>should be allowed read access on the dictionary file by default.
>                                                    Then you should 
>report this
>as a bug.
>                                                    You can generate a 
>local pol
>icy module to allow this access.
>                                                    Do
>                                                    allow this access for 
>now by
> executing:
>                                                    # grep radiusd 
>/var/log/audi
>t/audit.log | audit2allow -M mypol
>                                                    # semodule -i mypol.pp
>
>Jun 25 18:50:56 localhost.localdomain setroubleshoot[2449]: SELinux is 
>preventin
>g radiusd from read access on the file /etc/raddb/clients.conf. For 
>complete SEL
>inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:50:56 localhost.localdomain python[2449]: SELinux is preventing 
>radius
>d from read access on the file /etc/raddb/clients.conf.
>
>                                                    *****  Plugin 
>restorecon (99
>.5 confidence) suggests   ************************
>
>                                                    If you want to fix 
>the label
>.
>                                                    
>/etc/raddb/clients.conf defa
>ult label should be radiusd_etc_t.
>                                                    Then you can run 
>restorecon.
>                                                    Do
>                                                    # /sbin/restorecon -v 
>/etc/r
>addb/clients.conf
>
>                                                    *****  Plugin 
>catchall (1.49
> confidence) suggests   **************************
>
>                                                    If you believe that 
>radiusd
>should be allowed read access on the clients.conf file by default.
>                                                    Then you should 
>report this
>as a bug.
>                                                    You can generate a 
>local pol
>icy module to allow this access.
>                                                    Do
>                                                    allow this access for 
>now by
> executing:
>                                                    # grep radiusd 
>/var/log/audi
>t/audit.log | audit2allow -M mypol
>                                                    # semodule -i mypol.pp
>
>Jun 25 18:50:56 localhost.localdomain polkitd[660]: Unregistered 
>Authentication
>Agent for unix-process:2678:78843 (system bus name :1.64, object path 
>/org/freed
>esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8) (disconnected 
>from bu
>s)
>Jun 25 18:51:00 localhost.localdomain polkitd[660]: Registered 
>Authentication Ag
>ent for unix-process:2863:79253 (system bus name :1.65 
>[/usr/bin/pkttyagent --no
>tify-fd 5 --fallback], object path 
>/org/freedesktop/PolicyKit1/AuthenticationAge
>nt, locale en_IN.UTF-8)
>Jun 25 18:51:00 localhost.localdomain systemd[1]: Starting FreeRADIUS 
>high perfo
>rmance RADIUS server....
>-- Subject: Unit radiusd.service has begun start-up
>-- Defined-By: systemd
>-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>--
>-- Unit radiusd.service has begun starting up.
>Jun 25 18:51:00 localhost.localdomain audit[2886]: <audit-1400> avc:  
>denied  {
>sys_ptrace } for  pid=2886 comm="radiusd" capability=19  
>scontext=system_u:syste
>m_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 
>tclass=capability permi
>ssive=0
>Jun 25 18:51:00 localhost.localdomain kernel: ptrace of pid 2885 was 
>attempted b
>y: radiusd (pid 2886)
>Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc:  
>denied  {
>read } for  pid=2885 comm="radiusd" name="dictionary" dev="dm-1" 
>ino=1711521 sco
>ntext=system_u:system_r:radiusd_t:s0 
>tcontext=unconfined_u:object_r:user_home_t:
>s0 tclass=file permissive=0
>Jun 25 18:51:00 localhost.localdomain audit[2885]: <audit-1400> avc:  
>denied  {
>read } for  pid=2885 comm="radiusd" name="clients.conf" dev="dm-1" 
>ino=1711520 s
>context=system_u:system_r:radiusd_t:s0 
>tcontext=unconfined_u:object_r:user_home_
>t:s0 tclass=file permissive=0
>Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service: 
>control proce
>ss exited, code=exited status=1
>Jun 25 18:51:00 localhost.localdomain systemd[1]: Failed to start 
>FreeRADIUS hig
>h performance RADIUS server..
>-- Subject: Unit radiusd.service has failed
>-- Defined-By: systemd
>-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>--
>-- Unit radiusd.service has failed.
>--
>-- The result is failed.
>Jun 25 18:51:00 localhost.localdomain systemd[1]: Unit radiusd.service 
>entered f
>ailed state.
>Jun 25 18:51:00 localhost.localdomain systemd[1]: radiusd.service failed.
>Jun 25 18:51:00 localhost.localdomain audit[1]: <audit-1130> pid=1 uid=0 
>auid=42
>94967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
>msg='unit=radiusd comm=
>"systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? 
>res=failed
>'
>Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is 
>preventin
>g radiusd from using the sys_ptrace capability. For complete SELinux 
>messages. r
>un sealert -l cac781eb-1cae-4673-b684-6308a2c7ff2b
>Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is preventing 
>radius
>d from using the sys_ptrace capability.
>
>                                                    *****  Plugin 
>catchall (100.
> confidence) suggests   **************************
>
>                                                    If you believe that 
>radiusd
>should have the sys_ptrace capability by default.
>                                                    Then you should 
>report this
>as a bug.
>                                                    You can generate a 
>local pol
>icy module to allow this access.
>                                                    Do
>                                                    allow this access for 
>now by
> executing:
>                                                    # grep radiusd 
>/var/log/audi
>t/audit.log | audit2allow -M mypol
>                                                    # semodule -i mypol.pp
>
>Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is 
>preventin
>g radiusd from read access on the file /etc/raddb/dictionary. For 
>complete SELin
>ux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is preventing 
>radius
>d from read access on the file /etc/raddb/dictionary.
>
>                                                    *****  Plugin 
>restorecon (99
>.5 confidence) suggests   ************************
>
>                                                    If you want to fix 
>the label
>.
>                                                    /etc/raddb/dictionary 
>defaul
>t label should be radiusd_etc_t.
>                                                    Then you can run 
>restorecon.
>                                                    Do
>                                                    # /sbin/restorecon -v 
>/etc/r
>addb/dictionary
>
>                                                    *****  Plugin 
>catchall (1.49
> confidence) suggests   **************************
>
>                                                    If you believe that 
>radiusd
>should be allowed read access on the dictionary file by default.
>                                                    Then you should 
>report this
>as a bug.
>                                                    You can generate a 
>local pol
>icy module to allow this access.
>                                                    Do
>                                                    allow this access for 
>now by
> executing:
>                                                    # grep radiusd 
>/var/log/audi
>t/audit.log | audit2allow -M mypol
>                                                    # semodule -i mypol.pp
>
>Jun 25 18:51:00 localhost.localdomain setroubleshoot[2449]: SELinux is 
>preventin
>g radiusd from read access on the file /etc/raddb/clients.conf. For 
>complete SEL
>inux messages. run sealert -l 35e3131e-b329-4326-add0-6fde9b762f14
>Jun 25 18:51:00 localhost.localdomain python[2449]: SELinux is preventing 
>radius
>d from read access on the file /etc/raddb/clients.conf.
>
>                                                    *****  Plugin 
>restorecon (99
>.5 confidence) suggests   ************************
>
>                                                    If you want to fix 
>the label
>.
>                                                    
>/etc/raddb/clients.conf defa
>ult label should be radiusd_etc_t.
>                                                    Then you can run 
>restorecon.
>                                                    Do
>                                                    # /sbin/restorecon -v 
>/etc/r
>addb/clients.conf
>
>                                                    *****  Plugin 
>catchall (1.49
> confidence) suggests   **************************
>
>                                                    If you believe that 
>radiusd
>should be allowed read access on the clients.conf file by default.
>                                                    Then you should 
>report this
>as a bug.
>                                                    You can generate a 
>local pol
>icy module to allow this access.
>                                                    Do
>                                                    allow this access for 
>now by
> executing:
>                                                    # grep radiusd 
>/var/log/audi
>t/audit.log | audit2allow -M mypol
>                                                    # semodule -i mypol.pp
>
>Jun 25 18:51:01 localhost.localdomain polkitd[660]: Unregistered 
>Authentication
>Agent for unix-process:2863:79253 (system bus name :1.65, object path 
>/org/freed
>esktop/PolicyKit1/AuthenticationAgent, locale en_IN.UTF-8) (disconnected 
>from bu
>s)
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list