Page tree
Skip to end of metadata
Go to start of metadata


SELinux in Enforcing mode causes FreeRADIUS to fail when enabling the ABFAB server


Switch off SELinux temporarily and try to restart the server. If that succeeds, use the following SELinux policy as a starting point:

CentOS 6
#============= radiusd_t ==============
module radiusd_moonshot 1.1;
require {
	type security_t;
	type radiusd_t;
	type radsec_port_t;
	type pam_var_console_t;
	type var_lib_t;
	type default_context_t;
	type system_dbusd_var_lib_t;
	type port_t;
	type dbusd_exec_t;
	type initrc_t;
	type default_context_t;
	class process ptrace;
	class tcp_socket { name_bind name_connect };
	class netlink_selinux_socket { bind create };
	class file { execute read execute_no_trans write getattr open };
    class process execmem;
    class capability sys_ptrace;
	class security compute_av;
	class dir search;
#============= radiusd_t ==============
allow radiusd_t dbusd_exec_t:file { read execute open execute_no_trans };
allow radiusd_t default_context_t:file { read getattr open };
allow radiusd_t pam_var_console_t:dir search;
allow radiusd_t port_t:tcp_socket name_connect;
allow radiusd_t radsec_port_t:tcp_socket { name_bind name_connect };
allow radiusd_t security_t:security compute_av;
allow radiusd_t self:capability sys_ptrace;
allow radiusd_t self:netlink_selinux_socket { bind create };
allow radiusd_t self:process { ptrace execmem };
allow radiusd_t system_dbusd_var_lib_t:dir search;
allow radiusd_t system_dbusd_var_lib_t:file { read getattr open };
allow radiusd_t var_lib_t:file { read write getattr open }; 

Then compile and install this policy with the following commands:

# checkmodule -M -m -o radiusd_moonshot.mod radiusd_moonshot.te
# semodule_package -o radiusd_moonshot.pp -m radiusd_moonshot.mod
# semodule -i radiusd_moonshot.pp

Additionally, you have to change the following line in the /etc/init.d/radiusd file to add the highlighted portion to ensure it works:

daemon --pidfile $pidfile runcon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $exec -d $config_dir

This line will eventually no longer be necessary.

There is no content with the specified labels