*sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John.
On Tue, Mar 29, 2011 at 2:16 PM, John Dennis <[email protected]> wrote: > On 03/29/2011 03:09 PM, Christopher Athans wrote: >> >> Greetings all, I've been racking my brains out trying to solve/debug >> the following issue, hopefully someone can provide a new perspective. >> >> I've implemented mOTP as en external authentication program by >> defining it in radiusd.conf with a Program = "/etc/raddb/otpverify.sh" >> statement. >> As I said, it does indeed work properly, except, when I start the >> radiusd server up as a daemon via init.d >> >> radiusd -X - Works properly >> service radiusd start or /etc/init.d/radiusd start FAILS >> sh /etc/init.d/radiusd start Works >> >> When it works properly, I get proper Accept Replys. When it 'fails', >> its due to not being able to execute the script and this is logged in >> radius.log >> Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: >> Permission denied >> >> In all the above scenarios, I was root when executing the statements. >> I am *not* in a chroot jail, all the necessary directories are >> read/write by user 'radiusd' which is what the process is running as. >> I'm also using the init.d script that came with the CentOS package. >> >> My linux platform and freeradius information is as follows: >> >> CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux >> running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. >> >> >> Thanks for any assistance with this. > > Is SELinux enabled? > > % getenforce > > If it's enforcing then set it to permissive mode > > % setenforce 0 > > Now does it work? If so what were your recent AVC's in > /var/log/audit/audit.log? > > Not the problem? Then verify the script can run as the radiusd user. > > > > -- > John Dennis <[email protected]> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
