raddebug

[Gerald Vogt]

On 10.08.23 13:32, Alan DeKok wrote:
> On Aug 9, 2023, at 11:11 AM, Gerald Vogt <vogt at spamcop.net> wrote:
>> For whatever reason "raddebug" doesn't work on our new radius servers. On the old ones I could simply run "raddebug" or "raddebug -t 0" to capture the current debug logs.
>>
>> On the new one it shows nothing. It simply runs without any output.
>>
>> Running freeradius-3.2.3-1.el9.x86_64 on AlmaLinux 9.
>>
>> All the prerequisites mentioned in the raddebug(8) are met:
>> * radmin is in the path.
>> * I start raddebug as root thus permissions shouldn't matter.
>> * control socket is configured in mode rw and is accessible.
>> * It creates a file like "/var/log/radius/radmin.debug.101128" which remains empty as well.
>> * I don't run multiple raddebug processes.
>>
>> So I don't understand why it's not working...
> 
>    If I had to guess, it would be some kind of SELinux thing, or other "security" permissions thing.

It's not SeLinux. There are no denials and I have double-checked in 
permissive mode.

It seems the problem is when I start raddebug as root. It creates the 
radmin.debug log file as root:

-rw-rw-r--. 1 root root 0 Aug 10 22:06 /var/log/radius/radmin.debug.30393

and radiusd cannot write into that.

If I run

# sudo -u radiusd raddebug

it'll work.

That wasn't necessary on EL7. I thought radiusd would create the debug 
log file. If it's raddebug (or radmin) I guess it should make sure that 
it's using the correct user/group. Or is there a new configuration 
option to set the user/group for the debug log file?

-Gerald