Bug 167290 - Using /dev/urandom with FreeRADIUS
Summary: Using /dev/urandom with FreeRADIUS
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-09-01 12:02 UTC by Joachim Selke
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-05 15:07:02 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Joachim Selke 2005-09-01 12:02:39 UTC
Description of problem:
When using EAP-TLS in FreeRADIUS a random source can be specified in
/etc/raddb/eap.conf with the option random_file. In default configuration the
file ${raddbdir}/certs/random is used for this.

As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom
as a random source (which sounds for me much better than the static file above),
it should be a good idea to use this in FreeRADIUS default configuration.

But there is another problem: SELinux denies access to /dev/urandom, here is the
error message from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125576074.805:781): avc:  denied  { read } for  pid=11525
comm="radiusd" name="urandom" dev=tmpfs ino=1159
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
type=SYSCALL msg=audit(1125576074.805:781): arch=c000003e syscall=2 success=no
exit=-13 a0=2aaaabdbc4ed a1=0 a2=0 a3=2aaaabb26948 items=1 pid=11525 auid=0
uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
exe="/usr/sbin/radiusd"
type=CWD msg=audit(1125576074.805:781):  cwd="/"
type=PATH msg=audit(1125576074.805:781): item=0 name="/dev/urandom" flags=101 
inode=1159 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use /dev/urandom as random source
2. service radiusd start


Actual results:
start of service fails, because access to /dev/urandom is
denied by SELinux


Expected results:
start of service succeeds

Comment 1 Daniel Walsh 2005-11-03 19:01:35 UTC
Fixed in selinux-policy-targeted.noarch-1.25.4-13

Comment 2 Joachim Selke 2005-11-05 18:33:46 UTC
I use selinux-policy-targeted-1.27.1-2.11 and the problem (exactly as mentioned
above) is still there. A reboot (with autorelabel) does not change this.

Comment 3 Joachim Selke 2005-11-28 20:15:49 UTC
The selinux bug is fixed in selinux-policy-targeted-1.27.1-2.11.

But I think this bug should stay open and be assigned to radiusd. The
enhancement thing I mentioned in my bug report is still unchanged (or at least
there should be a comment on this):

"When using EAP-TLS in FreeRADIUS a random source can be specified in
/etc/raddb/eap.conf with the option random_file. In default configuration the
file ${raddbdir}/certs/random is used for this.

As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom
as a random source (which sounds for me much better than the static file above),
it should be a good idea to use this in FreeRADIUS default configuration."

Comment 4 Joachim Selke 2005-11-28 20:18:39 UTC
I made a copy 'n' paste mistake. The selinux bug is fixed in
selinux-policy-targeted-1.27.1-2.14. Thank you, Daniel.

Comment 5 Daniel Walsh 2006-05-05 15:07:02 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed


Note You need to log in before you can comment on or make changes to this bug.