John Horne wrote:
Hi,
I have installed FR2.1.1 onto a test server, built using the Fedora
rawhide RPM source. No problems building and installing FR, but when I
start FR it seems to immediately stop. The radius.log file just shows:
Fri Sep 26 17:20:58 2008 : Error: Failed to
stat /var/run/radiusd/radiusd.sock: Permission denied
The ls command shows:
ls -l /var/run/radiusd/radiusd.sock
srw-rw---- 1 radiusd radiusd 0 Sep 26
16:53 /var/run/radiusd/radiusd.sock
I have tried disabling selinux, and iptables, but they made no
difference. Changing the permissions to 666 on the socket made no
difference.
Running 'radiusd -C' shows nothing, and 'radiusd -X' starts up okay. If
I then use a different terminal I can run 'radmin' with no problem
(which I gather uses the socket).
The problem is, I can't see what permissions may be wrong. Anyone any
ideas on this?
The radiusd.sock is a new unix socket unknown to the SELinux policy for
radius, thus if SELinux is enabled and in enforcing mode it will deny
access. You can check if you're really enforcing by using this command.
% getenforce
If it says "Enforcing" then SELinux policy is going to deny access to
this socket. You can turn it off via
% setenforce 0
You can also verify this is your problem by grepping
/var/log/audit/audit.log for AVC's, for example:
% sudo grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1222447659.548:1457): avc: denied { unlink } for
pid=17382 comm="radiusd" name="radiusd.sock" dev=sda6 ino=3156948
scontext=unconfined_u:system_r:radiusd_t:s0
tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1222447659.548:1458): avc: denied { create } for
pid=17382 comm="radiusd" name="radiusd.sock"
scontext=unconfined_u:system_r:radiusd_t:s0
tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1222447659.548:1459): avc: denied { setattr } for
pid=17382 comm="radiusd" name="radiusd.sock" dev=sda6 ino=3156948
scontext=unconfined_u:system_r:radiusd_t:s0
tcontext=unconfined_u:object_r:radiusd_var_run_t:s0 tclass=sock_file
This was with SELinux in permissive mode, the key things to look for are
comm="radiusd" name="radiusd.sock" which says the command was radiusd
and the name of the object was radiusd.sock.
But because SELinux was in permissive mode everything worked, it just
told you what it would have denied if it were enforcing.
We need to update the SELinux policy to allow this new socket.
If that's not the problem you're encountering then the only other thing
I can think of is that you're not running the service from an effective
uid of root. When the server starts up it will have a uid of root but
then drop it's privileges to radiusd (not sure if the socket is created
before or after the privilege drop). But I do know the socket creation
code does check the socket's gid matches the processe's egid, if not it
generates an error, but it's a different error message than what you're
seeing. The error you're seeing is from the stat() call. I strongly
suspect an SELinux denial. If SELinux is in permissive mode and you're
still seeing this you might try manually removing
/var/run/radiusd/radiusd.sock after stopping the service and then
restart it and see if that resolves the problem.
FWIW, I don't see this problem on my system.
HTH,
--
John Dennis <[EMAIL PROTECTED]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
