Description of problem: When selinux is in enforce mode the radius daemon start will fail Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.47-3.fc5 How reproducible: run service radiusd start Actual results: start fail's Expected results: running radiusd Additional info: error at audit: Jul 17 09:16:14 kernel: audit(1153120574.167:12): avc: denied { write } for pid=2442 comm=radiusd name="db.daily" dev=md1 ino=7858082 scontext=system_u:system_r:radiusd_t tcontext=system_u:object_r:radiusd_etc_t tclass=file
I am adding the ability to write db.daily in the /etc/raddb directory. Are there any others that it needs to be able to write? Having configuration data in the same directory as writable data is somewhat hard to deal with for SELinux and would be better if this was in a subdirectory.
It is no problem to put the file db.dayly in /var but then you must tell me and the maintainer of the radius package where the file shut be live. So that selinux will not block it. There can be mutch other files that will be write able. This will depend of the parts of the daemon that are enabled. I think it will be better to make an general change for radius so that all files that need write able must live in /var/radius or somethink.
The db files moved to /var/lib/raddb in package freeradius-1.1.7-1.