+# Selinux type we're building for
+%global selinuxtype targeted
+
# Optional modules and libraries
%bcond_with rlm_cache_memcached
%bcond_with rlm_idn
Requires(preun): /sbin/chkconfig
Requires: freeradius-config = %{version}-%{release}
Requires: freeradius-common = %{version}-%{release}
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%if %{with freeradius_openssl}
Requires: freeradius-openssl
%else
Support for RFC and VSA Attributes Additional server configuration
attributes Selecting a particular configuration Authentication methods
+# No requirements here, as selinux is installed by the base package
+# as are any of the utilities we need to compile/manage policies.
+%package selinux
+Summary: A custom selinux policy for FreeRADIUS which adds multiple bools
+Requires: %{name} = %{version}-%{release}
+Requires: selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+This packages installs a custom selinux policy to allow the FreeRADIUS
+daemon to operate on additional ports, and communicate with other services
+directly using unix sockets.
+
%package snmp
Summary: SNMP MIBs and SNMP utilities used by FreeRADIUS
Requires: net-snmp-utils
# Do not use %__make here, as we may be using the non-system make
make %{?_smp_mflags}
+# Compile the selinux policy and produce the .bz2 containing the compiled policy
+make -f redhat/selinux/Makefile
+
%install
%__rm -rf $RPM_BUILD_ROOT
%__mkdir_p $RPM_BUILD_ROOT/var/run/radiusd
EOF
+# Install the selinux module
+%__install -D -m 0644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} redhat/selinux/%{name}.pp.bz2
+
%clean
%__rm -rf $RPM_BUILD_ROOT
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -s /sbin/nologin radiusd > /dev/null 2>&1
exit 0
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
%post
if [ $1 = 1 ]; then
- /usr/sbin/setsebool -P radius_use_jit=1 &> /dev/null || :
+ %selinux_set_booleans -s %{selinuxtype} radius_use_jit=on
%if %{?_unitdir:1}%{!?_unitdir:0}
/bin/systemctl enable radiusd
%else
fi
fi
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
%preun
if [ $1 = 0 ]; then
%if %{?_unitdir:1}%{!?_unitdir:0}
if [ $1 -ge 1 ]; then
/sbin/service radiusd condrestart >/dev/null 2>&1 || :
fi
+%selinux_unset_booleans -s %{selinuxtype} radius_jit
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
%files
%defattr(-,root,root)
%{_datadir}/snmp/mibs/*
%dir %attr(750,radiusd,radiusd) %{_sharedstatedir}/radiusd/snmp
+%files selinux
+%defattr(-,root,root,0755)
+%attr(0644,root,root) %{_datadir}/selinux/packages/%{selinuxtype}/*.pp.bz2
+
%files perl-util
%defattr(-,root,root)
/usr/bin/rlm_sqlippool_tool
--- /dev/null
+module freeradius 1.0;
+
+bool radius_slapd_unix false;
+
+require {
+ type radiusd_t;
+
+ # Connect to OpenLDAP
+ type slapd_t;
+ type slapd_var_run_t;
+ class sock_file write;
+ class unix_stream_socket connectto;
+
+ # Allow logging
+ type syslogd_port_t;
+ class tcp_socket name_connect;
+
+ # Kill children
+ class process getpgid;
+}
+
+if (radius_slapd_unix) {
+ # Allow FreeRADIUS to connect to OpenLDAP via a unix socket
+ allow radiusd_t slapd_t:unix_stream_socket connectto;
+
+ # Allow FreeRADIUS to write to OpenLDAP's unix socket
+ allow radiusd_t slapd_var_run_t:sock_file write;
+}
+
+# Allow FreeRADIUS to call getpgid so it can indiscriminately kill its children on exit
+allow radiusd_t self:process getpgid;
+
+# Always allow FreeRADIUS to write to syslog
+allow radiusd_t syslogd_port_t:tcp_socket name_connect;
projects / thirdparty / freeradius-server.git / commitdiff
