Bug 199082

Summary: selinux stops radiusd
Product: [Fedora] Fedora Reporter: Frank Büttner <bugzilla>
Component: freeradiusAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: k.georgiou
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-28 13:04:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Büttner 2006-07-17 07:26:01 UTC 
Description of problem:
When selinux is in enforce mode the radius daemon start will fail

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.47-3.fc5

How reproducible:
run service radiusd start
 
Actual results:
start fail's

Expected results:
running radiusd

Additional info:
error at audit:
Jul 17 09:16:14 kernel: audit(1153120574.167:12): avc:  denied  { write } for 
pid=2442 comm=radiusd name="db.daily" dev=md1 ino=7858082
scontext=system_u:system_r:radiusd_t tcontext=system_u:object_r:radiusd_etc_t
tclass=file
Comment 1 Daniel Walsh 2006-07-17 14:30:50 UTC 
I am adding the ability to write db.daily in the /etc/raddb directory.  Are
there any others that it needs to be able to write?

Having configuration data in the same directory as writable data is somewhat
hard to deal with for SELinux and would be better if this was in a subdirectory.
Comment 2 Frank Büttner 2006-07-17 15:23:37 UTC 
It is no problem to put the file db.dayly in /var but then you must tell me and
the maintainer of the radius package where the file shut be live. So that
selinux will not block it. There can be mutch other files that will be write
able. This will depend of the parts of the daemon that are enabled. I think it
will be better  to make an general change for radius so that all files that need
write able must live in /var/radius or somethink.
Comment 3 Thomas Woerner 2007-08-28 13:04:12 UTC 
The db files moved to /var/lib/raddb in package freeradius-1.1.7-1.