Description of problem: I cannot use freeradius with default selinux target policies with ntlm_auth authentication for EAP-TTLS that needs mschapv2 authenthentication. From: /var/log/audit/audit.log: type=AVC msg=audit(1282729991.563:368): avc: denied { execute } for pid=12743 comm="radiusd" name="ntlm_auth" dev=dm-6 ino=29739 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:winbind_helper_exec_t:s0 tclass=file Version-Release number of selected component (if applicable): freeradius-2.1.9-1.fc13.x86_64 selinux-policy-targeted-3.7.19-49.fc13.noarch How reproducible: always Steps to Reproduce: 1. in file /etc/raddb/modules/mschap enable ntlm_auth, i.e. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" 2. use EAP-TTLS auth or any other, that use mschap authentication 3. run radiusd with default privileges (effective user is radiusd) Actual results: authentication not working Expected results: working authentication without AVC Additional info: using my local selinux policy solved my problem, but in case of using ntlm_auth, it should be created selinux boolean for enabling execution of ntlm_auth for radiusd process.
Dan: It is permissible for radiusd to exec /usr/bin/ntlm_auth, it should be allowed.
Miroslav add samba_domtrans_winbind_helper(radiusd_t)
Fixed in selinux-policy-3.7.19-52.fc13
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.