Description of problem:
When using EAP-TLS in FreeRADIUS a CA root certificate file can be specified in
/etc/raddb/eap.conf with the option CA_file. In default configuration the file
${raddbdir}/certs/demoCA/cacert.pem is used for this. As Fedora Core 4 comes
with the CA file /etc/pki/tls/certs/ca-bundle.crt it should be a good idea to
use this one in FreeRADIUS. But SELinux denies access to it in enforcing mode,
here are the error messages from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125573605.073:758): avc:  denied  { search } for  pid=11155
comm="radiusd" name="pki" dev=sda3 ino=327401 scontext=root:system_r:radiusd_t
tcontext=system_u:object_r:cert_t tclass=dir
type=SYSCALL msg=audit(1125573605.073:758): arch=c000003e syscall=2 success=no
exit=-13 a0=555555784be0 a1=0 a2=1b6 a3=0 items=1 pid=11155 auid=0 uid=95 gid=95
euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
exe="/usr/sbin/radiusd"
type=CWD msg=audit(1125573605.073:758):  cwd="/"
type=PATH msg=audit(1125573605.073:758): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" flags=101  inode=327401 dev=08:03
mode=040755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use /etc/pki/tls/certs/ca-bundle.crt as CA file
2. service radiusd start


Actual results:
start of service fails, because access to /etc/pki/tls/certs/ca-bundle.crt is
denied by SELinux


Expected results:
start of service succeeds


Additional info:
Perhaps it is a good idea to use /etc/pki/tls/certs/ca-bundle.crt as CA file in
default configuration.

In addition "CA_path = /etc/pki/tls/certs" should be set in /etc/raddb/eap.conf
right after CA_file as default configuration. This makes it easier to maintain a
central key infrastructure in /etc/pki/tls.

Maybe there are some other files in /etc/raddb where similar modifications are
useful.