Discussion:
SELINUX blocks radius but not when using radiusd -X (debug)
Michael Monette
2014-04-17 20:38:24 UTC
Permalink
Hi,

Could anyone explain why this is happening? I just spent like 3 hours trying to figure this out, and I feel like it just doesn't make much sense.

On the RADIUS server, SELinux is ON. I start radius in Debug with "radiusd -X" and from my client I login with my RADIUS credentials(really..ldap creds) and it works. No problem.

I stop radiusd in debug, and run a 'service radiusd start'. I try to login again and it fails! I then disable SELinux (setenforce 0) and try again and it works.

Why does SElinux not block 'radiusd -X' but it seems to block radius when it's started as a service(service radiusd start).

What is the difference?

Mike


Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2014-04-17 20:56:30 UTC
Permalink
Post by Michael Monette
Why does SElinux not block 'radiusd -X' but it seems to block radius when it's started as a service(service radiusd start).
What is the difference?
Debug mode is running as you. You have permissions to do things.

Daemon mode is running as a "radiusd" or "freeradius" user. It
doesn't have permission to do anything.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Bishop
2014-04-17 21:11:42 UTC
Permalink
Post by Michael Monette
I start radius in Debug with "radiusd -X" and from my client I login with my RADIUS credentials(really..ldap creds) and it works. No problem.
Running as root.
Post by Michael Monette
I stop radiusd in debug, and run a 'service radiusd start'. I try to login again and it fails!
Running as radiusd.

If you're running something redhat based, install policycoreutils-python, and have a read through the output of:

# audit2allow -a -w

Something may be incorrectly tagged (look at the man page for chcon), or you may need to write a bit of policy.

Regards,

Adam Bishop

gpg: 0x6609D460

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers
2014-04-17 21:53:25 UTC
Permalink
This is how selinux works. Transition rules are dependent on current type and type of executed binary.

In refpolicy-derived installs most daemon transitions depend on a source type of initrc_t i.e. started by an init script.

There's plenty of info on this on the web in particular see:

http://danwalsh.livejournal.com/23944.html

The rest of the blog is good selinux info too.
--
Sent from my phone with, please excuse brevity and typos
Loading...