freeradius package update

Signed-off-by: webbuilder_pel7x64builder0 <webbuilder@powerel.org>
5 years ago · 117bcf5334
7 changed files with 2555 additions and 0 deletions
--- a/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
+++ b/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
@ -0,0 +1,59 @@
				@@ -0,0 +1,59 @@
+From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 8 Sep 2014 12:32:13 +0300
+Subject: [PATCH] Adjust configuration to fit Red Hat specifics
+
+---
+ raddb/mods-available/eap | 4 ++--
+ raddb/radiusd.conf.in    | 7 +++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 2621e183c..94494b2c6 100644
+--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
+@@ -533,7 +533,7 @@
+			#  You should also delete all of the files
+			#  in the directory when the server starts.
+			#
+-		#	tmpdir = /tmp/radiusd
+		#	tmpdir = /var/run/radiusd/tmp
+
+			#  The command used to verify the client cert.
+			#  We recommend using the OpenSSL command-line
+@@ -548,7 +548,7 @@
+			#  deleted by the server when the command
+			#  returns.
+			#
+-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+		}
+
+		#  OCSP Configuration
+diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
+index a83c1f687..e500cf97b 100644
+--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
+@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
+ cadir   = ${confdir}/certs
+ run_dir = ${localstatedir}/run/${name}
+
+-# Should likely be ${localstatedir}/lib/radiusd
+-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
+
+ #
+ # libdir: Where to find the rlm_* modules.
+@@ -398,8 +397,8 @@ security {
+	#  member.  This can allow for some finer-grained access
+	#  controls.
+	#
+-#	user = radius
+-#	group = radius
+	user = radiusd
+	group = radiusd
+
+	#  Core dumps are a bad thing.  This should only be set to
+	#  'yes' if you're debugging a problem with the server.
+--
+2.13.2
--- a/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
+++ b/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
@ -0,0 +1,75 @@
				@@ -0,0 +1,75 @@
+From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 26 Sep 2016 19:48:36 +0300
+Subject: [PATCH] Use system crypto policy by default
+
+---
+ raddb/mods-available/eap        | 2 +-
+ raddb/mods-available/inner-eap  | 2 +-
+ raddb/sites-available/abfab-tls | 2 +-
+ raddb/sites-available/tls       | 4 ++--
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 94494b2c6..9a8dc9327 100644
+--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
+@@ -912,7 +912,7 @@
+		#  Note - for OpenSSL 1.1.0 and above you may need
+		#  to add ":@SECLEVEL=0"
+		#
+-	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+	#	cipher_list = "PROFILE=SYSTEM"
+
+		#  PAC lifetime in seconds (default: seven days)
+		#
+diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
+index 2b4df6267..af9aa88cd 100644
+--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
+@@ -68,7 +68,7 @@ eap inner-eap {
+		#  certificates.  If so, edit this file.
+		ca_file = ${cadir}/ca.pem
+
+-		cipher_list = "DEFAULT"
+		cipher_list = "PROFILE=SYSTEM"
+
+		#  You may want to set a very small fragment size.
+		#  The TLS data here needs to go inside of the
+diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
+index 5dbe143da..46b5fea78 100644
+--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
+@@ -19,7 +19,7 @@ listen {
+		dh_file = ${certdir}/dh
+		fragment_size = 8192
+		ca_path = ${cadir}
+-		cipher_list = "DEFAULT"
+		cipher_list = "PROFILE=SYSTEM"
+
+		cache {
+			enable = no
+diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
+index cf1cd7a8a..7dd59cb6f 100644
+--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
+@@ -197,7 +197,7 @@ listen {
+		# Set this option to specify the allowed
+		# TLS cipher suites.  The format is listed
+		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
+		cipher_list = "PROFILE=SYSTEM"
+
+		# If enabled, OpenSSL will use server cipher list
+		# (possibly defined by cipher_list option above)
+@@ -499,7 +499,7 @@ home_server tls {
+		# Set this option to specify the allowed
+		# TLS cipher suites.  The format is listed
+		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
+		cipher_list = "PROFILE=SYSTEM"
+	}
+
+ }
+--
+2.13.2
--- a/SOURCES/freeradius-logrotate
+++ b/SOURCES/freeradius-logrotate
@ -0,0 +1,51 @@
				@@ -0,0 +1,51 @@
+# You can use this to rotate the /var/log/radius/* files, simply copy
+# it to /etc/logrotate.d/radiusd
+
+# There are different detail-rotating strategies you can use.  One is
+# to write to a single detail file per IP and use the rotate config
+# below.  Another is to write to a daily detail file per IP with:
+#     detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+# (or similar) in radiusd.conf, without rotation.  If you go with the
+# second technique, you will need another cron job that removes old
+# detail files.  You do not need to comment out the below for method #2.
+/var/log/radius/radacct/*/detail {
+	monthly
+	rotate 4
+	nocreate
+	missingok
+	compress
+}
+
+/var/log/radius/checkrad.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+}
+
+/var/log/radius/radius.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+	postrotate
+		/usr/bin/systemctl reload-or-try-restart radiusd
+	endscript
+}
+
+/var/log/radius/radwtmp {
+	monthly
+	rotate 4
+	create
+	compress
+	missingok
+}
+/var/log/radius/sqltrace.sql {
+        monthly
+        rotate 4
+        create
+        compress
+        missingok
+}
--- a/SOURCES/freeradius-pam-conf
+++ b/SOURCES/freeradius-pam-conf
@ -0,0 +1,6 @@
				@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       include	password-auth
+account    required	pam_nologin.so
+account    include	password-auth
+password   include	password-auth
+session    include	password-auth
--- a/SOURCES/freeradius-tmpfiles.conf
+++ b/SOURCES/freeradius-tmpfiles.conf
@ -0,0 +1 @@
				@@ -0,0 +1 @@
+D /var/run/radiusd 0710 radiusd radiusd -
--- a/SOURCES/radiusd.service
+++ b/SOURCES/radiusd.service
@ -0,0 +1,17 @@
				@@ -0,0 +1,17 @@
+[Unit]
+Description=FreeRADIUS high performance RADIUS server.
+After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/radiusd/radiusd.pid
+ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
+ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
+ExecStartPre=/bin/chgrp -R radiusd /etc/raddb/certs/
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -d /etc/raddb
+ExecReload=/usr/sbin/radiusd -C
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
				`@ -0,0 +1 @@` @@ -0,0 +1 @@
				`D /var/run/radiusd 0710 radiusd radiusd -`