Bug 167290

Summary: Using /dev/urandom with FreeRADIUS
Product: [Fedora] Fedora Reporter: Joachim Selke <mail>
Component: selinux-policy-targetedAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:07:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Selke 2005-09-01 12:02:39 UTC 
Description of problem:
When using EAP-TLS in FreeRADIUS a random source can be specified in
/etc/raddb/eap.conf with the option random_file. In default configuration the
file ${raddbdir}/certs/random is used for this.

As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom
as a random source (which sounds for me much better than the static file above),
it should be a good idea to use this in FreeRADIUS default configuration.

But there is another problem: SELinux denies access to /dev/urandom, here is the
error message from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125576074.805:781): avc:  denied  { read } for  pid=11525
comm="radiusd" name="urandom" dev=tmpfs ino=1159
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
type=SYSCALL msg=audit(1125576074.805:781): arch=c000003e syscall=2 success=no
exit=-13 a0=2aaaabdbc4ed a1=0 a2=0 a3=2aaaabb26948 items=1 pid=11525 auid=0
uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
exe="/usr/sbin/radiusd"
type=CWD msg=audit(1125576074.805:781):  cwd="/"
type=PATH msg=audit(1125576074.805:781): item=0 name="/dev/urandom" flags=101 
inode=1159 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use /dev/urandom as random source
2. service radiusd start


Actual results:
start of service fails, because access to /dev/urandom is
denied by SELinux


Expected results:
start of service succeeds
Comment 1 Daniel Walsh 2005-11-03 19:01:35 UTC 
Fixed in selinux-policy-targeted.noarch-1.25.4-13
Comment 2 Joachim Selke 2005-11-05 18:33:46 UTC 
I use selinux-policy-targeted-1.27.1-2.11 and the problem (exactly as mentioned
above) is still there. A reboot (with autorelabel) does not change this.
Comment 3 Joachim Selke 2005-11-28 20:15:49 UTC 
The selinux bug is fixed in selinux-policy-targeted-1.27.1-2.11.

But I think this bug should stay open and be assigned to radiusd. The
enhancement thing I mentioned in my bug report is still unchanged (or at least
there should be a comment on this):

"When using EAP-TLS in FreeRADIUS a random source can be specified in
/etc/raddb/eap.conf with the option random_file. In default configuration the
file ${raddbdir}/certs/random is used for this.

As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom
as a random source (which sounds for me much better than the static file above),
it should be a good idea to use this in FreeRADIUS default configuration."
Comment 4 Joachim Selke 2005-11-28 20:18:39 UTC 
I made a copy 'n' paste mistake. The selinux bug is fixed in
selinux-policy-targeted-1.27.1-2.14. Thank you, Daniel.
Comment 5 Daniel Walsh 2006-05-05 15:07:02 UTC 
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed