Problem
SELinux in Enforcing mode causes FreeRADIUS to fail when enabling the ABFAB server
Solution
Switch off SELinux temporarily and try to restart the server. If that succeeds, use the following SELinux policy as a starting point:
Code Block |
---|
bgColor | #fff |
---|
language | bash |
---|
title | CentOS 6 |
---|
|
#============= radiusd_t ==============
module radiusd_moonshot 1.1;
require {
type security_t;
type radiusd_t;
type radsec_port_t;
type pam_var_console_t;
type var_lib_t;
type default_context_t;
type system_dbusd_var_lib_t;
type port_t;
type dbusd_exec_t;
type initrc_t;
type default_context_t;
class process ptrace;
class tcp_socket { name_bind name_connect };
class netlink_selinux_socket { bind create };
class file { execute read execute_no_trans write getattr open };
class process execmem;
class capability sys_ptrace;
class security compute_av;
class dir search;
}
#============= radiusd_t ==============
allow radiusd_t dbusd_exec_t:file { read execute open execute_no_trans };
allow radiusd_t default_context_t:file { read getattr open };
allow radiusd_t pam_var_console_t:dir search;
allow radiusd_t port_t:tcp_socket name_connect;
allow radiusd_t radsec_port_t:tcp_socket { name_bind name_connect };
allow radiusd_t security_t:security compute_av;
allow radiusd_t self:capability sys_ptrace;
allow radiusd_t self:netlink_selinux_socket { bind create };
allow radiusd_t self:process { ptrace execmem };
allow radiusd_t system_dbusd_var_lib_t:dir search;
allow radiusd_t system_dbusd_var_lib_t:file { read getattr open };
allow radiusd_t var_lib_t:file { read write getattr open };
|
...
Code Block |
---|
|
# checkmodule -M -m -o radiusd_moonshot.mod radiusd_moonshot.te
# semodule_package -o radiusd_moonshot.pp -m radiusd_moonshot.mod
# semodule -i radiusd_moonshot.pp |
...
This line will eventually no longer be necessary.
Related articles
Filter by label (Content by label) |
---|
showLabels | false |
---|
max | 5 |
---|
spaces | WikiDev |
---|
showSpace | false |
---|
sort | modified | showSpace | false |
---|
reverse | true |
---|
type | page |
---|
cql | label in ("troubleshooting","selinux","trustrouter","freeradius") and type = "page" and space = "WikiDev" |
---|
labels | selinux troubleshooting trustrouter freeradius |
---|
|