diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
commit | 50b37d4a27d3295a29afca2286f1a5a086142cec (patch) | |
tree | 9212f763934ee090ef72d823f559f52ce387f268 /redhat/radiusd.service | |
parent | Initial commit. (diff) | |
download | freeradius-b44c43f84b67b16f7897077658751679f7087fa7.tar.xz freeradius-b44c43f84b67b16f7897077658751679f7087fa7.zip |
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'redhat/radiusd.service')
-rw-r--r-- | redhat/radiusd.service | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/redhat/radiusd.service b/redhat/radiusd.service new file mode 100644 index 0000000..ebeee95 --- /dev/null +++ b/redhat/radiusd.service @@ -0,0 +1,67 @@ +[Unit] +Description=FreeRADIUS multi-protocol policy server +After=network-online.target +Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/ + +[Service] +Type=notify +WatchdogSec=60 +NotifyAccess=all +EnvironmentFile=-/etc/sysconfig/radiusd + +# FreeRADIUS can do static evaluation of policy language rules based +# on environmental variables which is very useful for doing per-host +# customization. +# Unfortunately systemd does not allow variable substitutions such +# as %H or $(hostname) in the EnvironmentFile. +# We provide HOSTNAME here for convenience. +Environment=HOSTNAME=%H + +# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS +# is not memory hungry, if it's using more than this, then there's probably +# a leak somewhere. +MemoryLimit=2G + +RuntimeDirectory=radiusd +RuntimeDirectoryMode=0775 +User=radiusd +Group=radiusd +ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cx -lstdout +ExecStart=/usr/sbin/radiusd -f $FREERADIUS_OPTIONS +Restart=on-failure +RestartSec=5 +ExecReload=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout +ExecReload=/bin/kill -HUP $MAINPID + +# Don't elevate privileges after starting +NoNewPrivileges=true + +# Allow binding to secure ports, broadcast addresses, and raw interfaces. +# +# This list of capabilities may not be exhaustive, and needs +# further testing. Please uncomment, test, and report any issues. +#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE + +# Private /tmp that isn't shared by other processes +PrivateTmp=true + +# cgroups are readable only by radiusd, and child processes +ProtectControlGroups=true + +# don't load new kernel modules +ProtectKernelModules=true + +# don't tune kernel parameters +ProtectKernelTunables=true + +# Only allow native system calls +SystemCallArchitectures=native + +# We shouldn't be writing to the configuration directory +ReadOnlyDirectories=/etc/raddb/ + +# We can read and write to the log directory. +ReadWriteDirectories=/var/log/radius/ + +[Install] +WantedBy=multi-user.target |