Bug 167289

Summary: Using /etc/pki/tls/certs/ca-bundle.crt with FreeRADIUS
Product: [Fedora] Fedora Reporter: Joachim Selke <mail>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-12 17:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Selke 2005-09-01 11:52:19 UTC 
Description of problem:
When using EAP-TLS in FreeRADIUS a CA root certificate file can be specified in
/etc/raddb/eap.conf with the option CA_file. In default configuration the file
${raddbdir}/certs/demoCA/cacert.pem is used for this. As Fedora Core 4 comes
with the CA file /etc/pki/tls/certs/ca-bundle.crt it should be a good idea to
use this one in FreeRADIUS. But SELinux denies access to it in enforcing mode,
here are the error messages from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125573605.073:758): avc:  denied  { search } for  pid=11155
comm="radiusd" name="pki" dev=sda3 ino=327401 scontext=root:system_r:radiusd_t
tcontext=system_u:object_r:cert_t tclass=dir
type=SYSCALL msg=audit(1125573605.073:758): arch=c000003e syscall=2 success=no
exit=-13 a0=555555784be0 a1=0 a2=1b6 a3=0 items=1 pid=11155 auid=0 uid=95 gid=95
euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
exe="/usr/sbin/radiusd"
type=CWD msg=audit(1125573605.073:758):  cwd="/"
type=PATH msg=audit(1125573605.073:758): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" flags=101  inode=327401 dev=08:03
mode=040755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use /etc/pki/tls/certs/ca-bundle.crt as CA file
2. service radiusd start


Actual results:
start of service fails, because access to /etc/pki/tls/certs/ca-bundle.crt is
denied by SELinux


Expected results:
start of service succeeds


Additional info:
Perhaps it is a good idea to use /etc/pki/tls/certs/ca-bundle.crt as CA file in
default configuration.

In addition "CA_path = /etc/pki/tls/certs" should be set in /etc/raddb/eap.conf
right after CA_file as default configuration. This makes it easier to maintain a
central key infrastructure in /etc/pki/tls.

Maybe there are some other files in /etc/raddb where similar modifications are
useful.
Comment 1 Christian Iseli 2007-01-22 10:50:14 UTC 
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 2 Thomas Woerner 2007-07-23 13:54:03 UTC 
Assigning to selinux-policy-targeted.
Comment 3 Daniel Walsh 2007-07-23 14:51:10 UTC 
This access was not present in FC6 or beyond.  I will update F-7 and rawhide
today, and FC7 next time an update happens.
Comment 4 Daniel Walsh 2007-09-12 17:08:19 UTC 
Moving modified bugs to closed