Description of problem: When using EAP-TLS in FreeRADIUS a random source can be specified in /etc/raddb/eap.conf with the option random_file. In default configuration the file ${raddbdir}/certs/random is used for this. As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom as a random source (which sounds for me much better than the static file above), it should be a good idea to use this in FreeRADIUS default configuration. But there is another problem: SELinux denies access to /dev/urandom, here is the error message from /var/log/audit/audit.log when starting FreeRADIUS: type=AVC msg=audit(1125576074.805:781): avc: denied { read } for pid=11525 comm="radiusd" name="urandom" dev=tmpfs ino=1159 scontext=root:system_r:radiusd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file type=SYSCALL msg=audit(1125576074.805:781): arch=c000003e syscall=2 success=no exit=-13 a0=2aaaabdbc4ed a1=0 a2=0 a3=2aaaabb26948 items=1 pid=11525 auid=0 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd" exe="/usr/sbin/radiusd" type=CWD msg=audit(1125576074.805:781): cwd="/" type=PATH msg=audit(1125576074.805:781): item=0 name="/dev/urandom" flags=101 inode=1159 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09 Version-Release number of selected component (if applicable): freeradius.x86_64-1.0.4-1.FC4.1 selinux-policy-targeted.noarch-1.25.4-10 How reproducible: Every time. Steps to Reproduce: 1. Use /dev/urandom as random source 2. service radiusd start Actual results: start of service fails, because access to /dev/urandom is denied by SELinux Expected results: start of service succeeds
Fixed in selinux-policy-targeted.noarch-1.25.4-13
I use selinux-policy-targeted-1.27.1-2.11 and the problem (exactly as mentioned above) is still there. A reboot (with autorelabel) does not change this.
The selinux bug is fixed in selinux-policy-targeted-1.27.1-2.11. But I think this bug should stay open and be assigned to radiusd. The enhancement thing I mentioned in my bug report is still unchanged (or at least there should be a comment on this): "When using EAP-TLS in FreeRADIUS a random source can be specified in /etc/raddb/eap.conf with the option random_file. In default configuration the file ${raddbdir}/certs/random is used for this. As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom as a random source (which sounds for me much better than the static file above), it should be a good idea to use this in FreeRADIUS default configuration."
I made a copy 'n' paste mistake. The selinux bug is fixed in selinux-policy-targeted-1.27.1-2.14. Thank you, Daniel.
Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed