Description of problem: When using EAP-TLS in FreeRADIUS a CA root certificate file can be specified in /etc/raddb/eap.conf with the option CA_file. In default configuration the file ${raddbdir}/certs/demoCA/cacert.pem is used for this. As Fedora Core 4 comes with the CA file /etc/pki/tls/certs/ca-bundle.crt it should be a good idea to use this one in FreeRADIUS. But SELinux denies access to it in enforcing mode, here are the error messages from /var/log/audit/audit.log when starting FreeRADIUS: type=AVC msg=audit(1125573605.073:758): avc: denied { search } for pid=11155 comm="radiusd" name="pki" dev=sda3 ino=327401 scontext=root:system_r:radiusd_t tcontext=system_u:object_r:cert_t tclass=dir type=SYSCALL msg=audit(1125573605.073:758): arch=c000003e syscall=2 success=no exit=-13 a0=555555784be0 a1=0 a2=1b6 a3=0 items=1 pid=11155 auid=0 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd" exe="/usr/sbin/radiusd" type=CWD msg=audit(1125573605.073:758): cwd="/" type=PATH msg=audit(1125573605.073:758): item=0 name="/etc/pki/tls/certs/ca-bundle.crt" flags=101 inode=327401 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 Version-Release number of selected component (if applicable): freeradius.x86_64-1.0.4-1.FC4.1 selinux-policy-targeted.noarch-1.25.4-10 How reproducible: Every time. Steps to Reproduce: 1. Use /etc/pki/tls/certs/ca-bundle.crt as CA file 2. service radiusd start Actual results: start of service fails, because access to /etc/pki/tls/certs/ca-bundle.crt is denied by SELinux Expected results: start of service succeeds Additional info: Perhaps it is a good idea to use /etc/pki/tls/certs/ca-bundle.crt as CA file in default configuration. In addition "CA_path = /etc/pki/tls/certs" should be set in /etc/raddb/eap.conf right after CA_file as default configuration. This makes it easier to maintain a central key infrastructure in /etc/pki/tls. Maybe there are some other files in /etc/raddb where similar modifications are useful.
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
Assigning to selinux-policy-targeted.
This access was not present in FC6 or beyond. I will update F-7 and rawhide today, and FC7 next time an update happens.
Moving modified bugs to closed