Bug 167289 - Using /etc/pki/tls/certs/ca-bundle.crt with FreeRADIUS
Summary: Using /etc/pki/tls/certs/ca-bundle.crt with FreeRADIUS
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2005-09-01 11:52 UTC by Joachim Selke
Modified: 2007-11-30 22:11 UTC (History)
0 users

Clone Of:
Last Closed: 2007-09-12 17:08:19 UTC

Attachments (Terms of Use)

Description Joachim Selke 2005-09-01 11:52:19 UTC
Description of problem:
When using EAP-TLS in FreeRADIUS a CA root certificate file can be specified in
/etc/raddb/eap.conf with the option CA_file. In default configuration the file
${raddbdir}/certs/demoCA/cacert.pem is used for this. As Fedora Core 4 comes
with the CA file /etc/pki/tls/certs/ca-bundle.crt it should be a good idea to
use this one in FreeRADIUS. But SELinux denies access to it in enforcing mode,
here are the error messages from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125573605.073:758): avc:  denied  { search } for  pid=11155
comm="radiusd" name="pki" dev=sda3 ino=327401 scontext=root:system_r:radiusd_t
tcontext=system_u:object_r:cert_t tclass=dir
type=SYSCALL msg=audit(1125573605.073:758): arch=c000003e syscall=2 success=no
exit=-13 a0=555555784be0 a1=0 a2=1b6 a3=0 items=1 pid=11155 auid=0 uid=95 gid=95
euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
type=CWD msg=audit(1125573605.073:758):  cwd="/"
type=PATH msg=audit(1125573605.073:758): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" flags=101  inode=327401 dev=08:03
mode=040755 ouid=0 ogid=0 rdev=00:00

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Use /etc/pki/tls/certs/ca-bundle.crt as CA file
2. service radiusd start

Actual results:
start of service fails, because access to /etc/pki/tls/certs/ca-bundle.crt is
denied by SELinux

Expected results:
start of service succeeds

Additional info:
Perhaps it is a good idea to use /etc/pki/tls/certs/ca-bundle.crt as CA file in
default configuration.

In addition "CA_path = /etc/pki/tls/certs" should be set in /etc/raddb/eap.conf
right after CA_file as default configuration. This makes it easier to maintain a
central key infrastructure in /etc/pki/tls.

Maybe there are some other files in /etc/raddb where similar modifications are

Comment 1 Christian Iseli 2007-01-22 10:50:14 UTC
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?


Comment 2 Thomas Woerner 2007-07-23 13:54:03 UTC
Assigning to selinux-policy-targeted.

Comment 3 Daniel Walsh 2007-07-23 14:51:10 UTC
This access was not present in FC6 or beyond.  I will update F-7 and rawhide
today, and FC7 next time an update happens.

Comment 4 Daniel Walsh 2007-09-12 17:08:19 UTC
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.