1289330 – SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.

Bug 1289330 - SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.

Summary: SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a pro...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeradius
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Nikolai Kondrashov
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-07 21:24 UTC by pgaltieri
Modified:	2016-07-19 19:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-07-19 19:23:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
radiusd.conf (25.94 KB, text/plain) 2015-12-18 16:32 UTC, pgaltieri	no flags	Details
View All

Description pgaltieri 2015-12-07 21:24:11 UTC

Description of problem:
I've been running radiusd for years, and after I rebooted my system radiusd no longer starts.  I now get the following error:

SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.

Version-Release number of selected component (if applicable):
3.0.9-1.fc22

How reproducible:
Everytime I start radiusd 

Steps to Reproduce:
1. systemctl start radiusd
2.
3.

Actual results:
SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.

Expected results:
radiusd should start.

Additional info:
Just a note that radiusd does not start on boot, and never has.  It must be started manually after boot.

I marked this as high as I use radiusd for authentication to my Cisco hardware.

Comment 1 pgaltieri 2015-12-12 17:23:52 UTC

I created and installed the policy module for this alert.  I tried to restart radiusd and I got another alert this time for sys_ptrace.  I wasn't sure if I should create a separate bug for the sys_ptrace issue

Comment 2 Nikolai Kondrashov 2015-12-15 15:30:13 UTC

Thank you for the report. Could you please post "radiusd -X" output for this issue, plus the contents of your /etc/raddb directory (scrubbed, if necessary), or at least just /etc/raddb/radiusd.conf. Thank you.

Comment 3 pgaltieri 2015-12-17 20:41:42 UTC

radiusd -X will not trigger the alert.  I get the error described in bug 1291006.

Only doing systemctl start radiusd triggers the SElinux alert.

Comment 4 pgaltieri 2015-12-17 21:48:34 UTC

Some additional information.  After fixing the problem described in bug 1291006 I now get the alert for ptrace and a new SElinux alert for execmem, but radiusd does run.

I am going to file a bug against the execmem issue, since this is a new issue.

Comment 5 Nikolai Kondrashov 2015-12-18 13:16:48 UTC

Understood, thank you. Could you please post the contents of your /etc/raddb directory (scrubbed, if necessary), or at least just /etc/raddb/radiusd.conf?

Comment 6 pgaltieri 2015-12-18 16:32:08 UTC

Created attachment 1107222 [details]
radiusd.conf

Attached radiusd.conf

Comment 7 Fedora End Of Life 2016-07-19 19:23:27 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.