Description of problem: There were modifications to freeradius2 in 2.1.9 related to core dumps. SELinux policy does not allow freeradius 2.1.9 to disable core dumps. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-255.el5_4.4 libselinux-1.33.4-5.5.el5 libselinux-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 libselinux-python-1.33.4-5.5.el5 selinux-policy-2.4.6-255.el5_4.4 freeradius2 - rpms built from official release available at ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.9.tar.gz How reproducible: Always Steps to Reproduce: ** SELinux in Enforcing mode 1. Build and install FR v2.1.9 2. Configure "allow_core_dumps = no" in /etc/raddb/radiusd.conf 3. Start/Restart FR. Actual results: The following will be logged in the FR log: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied Audit log: type=SYSCALL msg=audit(1278078430.225:95619): arch=c000003e syscall=1 success=yes exit=1796774 a0=4 a1=2b254a26d000 a2=1b6aa6 a3=0 items=0 ppid=17551 pid=17552 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16471 comm="load_policy" exe="/usr/sbin/load_policy" subj=user_u:system_r:load_policy_t:s0 key=(null) type=AVC msg=audit(1278078436.202:95620): avc: denied { setrlimit } for pid=17567 comm="radiusd" scontext=user_u:system_r:radiusd_t:s0 tcontext=user_u:system_r:radiusd_t:s0 tclass=process type=SYSCALL msg=audit(1278078436.202:95620): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fff020338f0 a2=0 a3=ea items=0 ppid=17566 pid=17567 auid=500 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts0 ses=16471 comm="radiusd" exe="/usr/sbin/radiusd" subj=user_u:system_r:radiusd_t:s0 key=(null) I cannot confirm whether FR still produces core dumps upon failure. Expected results: No SELinux errors and core dumps successfully disabled. Additional info: audit2allow produces the following policy updates which appear to prevent this behavior: module freeradius2 1.0; require { type radiusd_t; class process setrlimit; } #============= radiusd_t ============== allow radiusd_t self:process setrlimit;
This is allowed in RHEL6 should be back ported.
Fixed in selinux-policy-2.4.6-281.el5.noarch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html