Bug 167289 - Using /etc/pki/tls/certs/ca-bundle.crt with FreeRADIUS
Using /etc/pki/tls/certs/ca-bundle.crt with FreeRADIUS
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-01 07:52 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 13:08:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2005-09-01 07:52:19 EDT
Description of problem:
When using EAP-TLS in FreeRADIUS a CA root certificate file can be specified in
/etc/raddb/eap.conf with the option CA_file. In default configuration the file
${raddbdir}/certs/demoCA/cacert.pem is used for this. As Fedora Core 4 comes
with the CA file /etc/pki/tls/certs/ca-bundle.crt it should be a good idea to
use this one in FreeRADIUS. But SELinux denies access to it in enforcing mode,
here are the error messages from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125573605.073:758): avc:  denied  { search } for  pid=11155
comm="radiusd" name="pki" dev=sda3 ino=327401 scontext=root:system_r:radiusd_t
tcontext=system_u:object_r:cert_t tclass=dir
type=SYSCALL msg=audit(1125573605.073:758): arch=c000003e syscall=2 success=no
exit=-13 a0=555555784be0 a1=0 a2=1b6 a3=0 items=1 pid=11155 auid=0 uid=95 gid=95
euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
exe="/usr/sbin/radiusd"
type=CWD msg=audit(1125573605.073:758):  cwd="/"
type=PATH msg=audit(1125573605.073:758): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" flags=101  inode=327401 dev=08:03
mode=040755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use /etc/pki/tls/certs/ca-bundle.crt as CA file
2. service radiusd start


Actual results:
start of service fails, because access to /etc/pki/tls/certs/ca-bundle.crt is
denied by SELinux


Expected results:
start of service succeeds


Additional info:
Perhaps it is a good idea to use /etc/pki/tls/certs/ca-bundle.crt as CA file in
default configuration.

In addition "CA_path = /etc/pki/tls/certs" should be set in /etc/raddb/eap.conf
right after CA_file as default configuration. This makes it easier to maintain a
central key infrastructure in /etc/pki/tls.

Maybe there are some other files in /etc/raddb where similar modifications are
useful.
Comment 1 Christian Iseli 2007-01-22 05:50:14 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 2 Thomas Woerner 2007-07-23 09:54:03 EDT
Assigning to selinux-policy-targeted.
Comment 3 Daniel Walsh 2007-07-23 10:51:10 EDT
This access was not present in FC6 or beyond.  I will update F-7 and rawhide
today, and FC7 next time an update happens.
Comment 4 Daniel Walsh 2007-09-12 13:08:19 EDT
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.