Bug 167290 - Using /dev/urandom with FreeRADIUS
Using /dev/urandom with FreeRADIUS
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-01 08:02 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 11:07:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2005-09-01 08:02:39 EDT
Description of problem:
When using EAP-TLS in FreeRADIUS a random source can be specified in
/etc/raddb/eap.conf with the option random_file. In default configuration the
file ${raddbdir}/certs/random is used for this.

As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom
as a random source (which sounds for me much better than the static file above),
it should be a good idea to use this in FreeRADIUS default configuration.

But there is another problem: SELinux denies access to /dev/urandom, here is the
error message from /var/log/audit/audit.log when starting FreeRADIUS:

type=AVC msg=audit(1125576074.805:781): avc:  denied  { read } for  pid=11525
comm="radiusd" name="urandom" dev=tmpfs ino=1159
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
type=SYSCALL msg=audit(1125576074.805:781): arch=c000003e syscall=2 success=no
exit=-13 a0=2aaaabdbc4ed a1=0 a2=0 a3=2aaaabb26948 items=1 pid=11525 auid=0
uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 comm="radiusd"
exe="/usr/sbin/radiusd"
type=CWD msg=audit(1125576074.805:781):  cwd="/"
type=PATH msg=audit(1125576074.805:781): item=0 name="/dev/urandom" flags=101 
inode=1159 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use /dev/urandom as random source
2. service radiusd start


Actual results:
start of service fails, because access to /dev/urandom is
denied by SELinux


Expected results:
start of service succeeds
Comment 1 Daniel Walsh 2005-11-03 14:01:35 EST
Fixed in selinux-policy-targeted.noarch-1.25.4-13
Comment 2 Joachim Selke 2005-11-05 13:33:46 EST
I use selinux-policy-targeted-1.27.1-2.11 and the problem (exactly as mentioned
above) is still there. A reboot (with autorelabel) does not change this.
Comment 3 Joachim Selke 2005-11-28 15:15:49 EST
The selinux bug is fixed in selinux-policy-targeted-1.27.1-2.11.

But I think this bug should stay open and be assigned to radiusd. The
enhancement thing I mentioned in my bug report is still unchanged (or at least
there should be a comment on this):

"When using EAP-TLS in FreeRADIUS a random source can be specified in
/etc/raddb/eap.conf with the option random_file. In default configuration the
file ${raddbdir}/certs/random is used for this.

As many FreeRADIUS configuration guides in the web tell you to use /dev/urandom
as a random source (which sounds for me much better than the static file above),
it should be a good idea to use this in FreeRADIUS default configuration."
Comment 4 Joachim Selke 2005-11-28 15:18:39 EST
I made a copy 'n' paste mistake. The selinux bug is fixed in
selinux-policy-targeted-1.27.1-2.14. Thank you, Daniel.
Comment 5 Daniel Walsh 2006-05-05 11:07:02 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.