Problems starting FreeRadius after 3.0.23 install

Weisteen Per per.weisteen at
Mon Sep 27 09:24:34 CEST 2021

Hi Alan 

Thanks for your time.

I checked the systemd man pages and did some Googling and found info suggesting that one should use AmbientCapabilities to set capabilities while CapabilityBoundingSet limits capabilities.  
That seems to have done the trick. Startup is without errors now. I haven’t experimented with all capabilities, but this works ok at least.


BTW: SElinux is disabled in my system. 


> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> at> On Behalf Of Alan
> DeKok
> Sent: fredag 24. september 2021 14:23
> To: FreeRadius users mailing list <freeradius-users at>
> Subject: Re: Problems starting FreeRadius after 3.0.23 install
> On Sep 24, 2021, at 6:04 AM, Weisteen Per <per.weisteen at>
> wrote:
> > Have just installed Freeradius 3.0.23 on my CentOS 7 test-servers as
> described in .
> > I'm not using LDAP so I've skipped that part.
>   OK.
> > I'm also not using radiusd:radiusd as userid:groupid due to administrative
> naming rules, but got a xxxxrad:xxxxrad as userid:groupid instead.
> > I've changed ownership for all files under /etc/raddb and /var/log/radiusd
> to xxxxrad:xxxxrad, changed user and group in radius.conf accordingly.
> > Also copied the supplied /usr/lib/systemd/system/radiusd.service into
> /etc/systemd/system/radiusd.service and changed User and Group here
> too.
>   It's best to have the file permissions as owned by user "root", and group
> "xxxrad".  You typically don't want a public-facing service to own the files it
> reads.  If there's a vulnerability, then an attacker can over-write the
> configuration files.  Which is usually bad.

Ok, will do.

> > Running radius -X as root gives no error messages.
> >
> > When starting radius through systemctl start radiusd I get "Failed to start
> FreeRADIUS multi-protocol policy server."
> >
> > Doing su - xxxxrad and the running radius -X gives these messages:
> > Failed binding to interface net1: Operation not permitted
> > /etc/raddb/sites-enabled/default[59]: Error binding to port for
> > port 1812
>   That's an error from the operating system.
> > I've removed the comment that was in front of the
> CAP_CHOWN CAP_DAC_OVERRIDE In radius.service.
>   That's good, but it seems not enough.
>   There's some magic on your OS (SeLinux?) which is preventing the server
> from binding to the "net1" interface.  You'll have to figure it out.  And if you
> do, *please* update the Wiki so other people don't run into the same issue.
>   I don't run SeLinux because it's useless for most purposes.  It rarely helps,
> it's hard to configure, and it gets in the way.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list