freeradius-3.2.8-1.el9 fails to start

mohair.scarves.0i at icloud.com mohair.scarves.0i at icloud.com
Fri Aug 22 12:19:03 UTC 2025 

O.K. I have checked the audit logs and there is nothing in there. But you are right, setting selinux to permissive allows the server to start.

Thus, I have disabled the dontaudit rules and checked the audit log again and then you can easily find the solution:

# semodule -DB
# ausearch -m avc | audit2allow
…
#============= radiusd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow radiusd_t self:capability net_admin;

#!!!! This avc can be allowed using the boolean 'radius_use_jit'
allow radiusd_t self:process execmem;
…

The selinux policy seems already to be prepared for this issue.

Thus

# setsebool -P radius_use_jit=1
# getsebool radius_use_jit
radius_use_jit --> on
# systemctl start radiusd
# semodule -B

And now it starts even in enforcing mode.

Regards.

> On 22. Aug 2025, at 13:33, Matthew Newton via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> On 22/08/2025 12:08, Alan DeKok via Freeradius-Users wrote:
>> On Aug 22, 2025, at 6:57 AM, mohair.scarves.0i--- via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> I can confirm this problem on AlmaLinux 9. It seems to be related to the use of pcre2 which wasn’t used before.
>>   Well, that's unfriendly.  I would suspect that it's related to the PCRE JIT.  i.e. if you run it as root, the JIT can get executable memory.  When you run it as a non-root user, the OS won't give the JIT executable memory.
> 
> Yes. Looks like PCRE2 with JIT needs selinux policies to work - disabling selinux will likely also fix the issue.
> 
> We had to put PCRE2 in because Rocky10 and Debian13 don't include PCRE1 any more. But the configure script then automatically picked that for the existing OSes as well.
> 
>>   We can likely patch the code, and issue RPMs of 3.2.8-1.  I don't think there's a need for an official 3.2.9 yet.
> 
> Yeah, I'm working on 3.2.8-2 packages to flip it back to PCRE1.
> 
> Thanks Nick for debugging this one in detail.
> 
> -- 
> Matthew
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list