Bug 1289330 - SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.
SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a pro...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: freeradius (Show other bugs)
22
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Nikolai Kondrashov
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-07 16:24 EST by pgaltieri
Modified: 2016-07-19 15:23 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 15:23:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
radiusd.conf (25.94 KB, text/plain)
2015-12-18 11:32 EST, pgaltieri
no flags Details

  None (edit)
Description pgaltieri 2015-12-07 16:24:11 EST
Description of problem:
I've been running radiusd for years, and after I rebooted my system radiusd no longer starts.  I now get the following error:

SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.

Version-Release number of selected component (if applicable):
3.0.9-1.fc22

How reproducible:
Everytime I start radiusd 

Steps to Reproduce:
1. systemctl start radiusd
2.
3.

Actual results:
SELinux is preventing /usr/sbin/radiusd from using the ptrace access on a process.

Expected results:
radiusd should start.

Additional info:
Just a note that radiusd does not start on boot, and never has.  It must be started manually after boot.

I marked this as high as I use radiusd for authentication to my Cisco hardware.
Comment 1 pgaltieri 2015-12-12 12:23:52 EST
I created and installed the policy module for this alert.  I tried to restart radiusd and I got another alert this time for sys_ptrace.  I wasn't sure if I should create a separate bug for the sys_ptrace issue
Comment 2 Nikolai Kondrashov 2015-12-15 10:30:13 EST
Thank you for the report. Could you please post "radiusd -X" output for this issue, plus the contents of your /etc/raddb directory (scrubbed, if necessary), or at least just /etc/raddb/radiusd.conf. Thank you.
Comment 3 pgaltieri 2015-12-17 15:41:42 EST
radiusd -X will not trigger the alert.  I get the error described in bug 1291006.

Only doing systemctl start radiusd triggers the SElinux alert.
Comment 4 pgaltieri 2015-12-17 16:48:34 EST
Some additional information.  After fixing the problem described in bug 1291006 I now get the alert for ptrace and a new SElinux alert for execmem, but radiusd does run.

I am going to file a bug against the execmem issue, since this is a new issue.
Comment 5 Nikolai Kondrashov 2015-12-18 08:16:48 EST
Understood, thank you. Could you please post the contents of your /etc/raddb directory (scrubbed, if necessary), or at least just /etc/raddb/radiusd.conf?
Comment 6 pgaltieri 2015-12-18 11:32 EST
Created attachment 1107222 [details]
radiusd.conf

Attached radiusd.conf
Comment 7 Fedora End Of Life 2016-07-19 15:23:27 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.