diff options
Diffstat (limited to 'redhat/radiusd.service')
| -rw-r--r-- | redhat/radiusd.service | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/redhat/radiusd.service b/redhat/radiusd.service new file mode 100644 index 0000000..ebeee95 --- /dev/null +++ b/redhat/radiusd.service @@ -0,0 +1,67 @@ +[Unit] +Description=FreeRADIUS multi-protocol policy server +After=network-online.target +Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/ + +[Service] +Type=notify +WatchdogSec=60 +NotifyAccess=all +EnvironmentFile=-/etc/sysconfig/radiusd + +# FreeRADIUS can do static evaluation of policy language rules based +# on environmental variables which is very useful for doing per-host +# customization. +# Unfortunately systemd does not allow variable substitutions such +# as %H or $(hostname) in the EnvironmentFile. +# We provide HOSTNAME here for convenience. +Environment=HOSTNAME=%H + +# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS +# is not memory hungry, if it's using more than this, then there's probably +# a leak somewhere. +MemoryLimit=2G + +RuntimeDirectory=radiusd +RuntimeDirectoryMode=0775 +User=radiusd +Group=radiusd +ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cx -lstdout +ExecStart=/usr/sbin/radiusd -f $FREERADIUS_OPTIONS +Restart=on-failure +RestartSec=5 +ExecReload=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout +ExecReload=/bin/kill -HUP $MAINPID + +# Don't elevate privileges after starting +NoNewPrivileges=true + +# Allow binding to secure ports, broadcast addresses, and raw interfaces. +# +# This list of capabilities may not be exhaustive, and needs +# further testing. Please uncomment, test, and report any issues. +#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE + +# Private /tmp that isn't shared by other processes +PrivateTmp=true + +# cgroups are readable only by radiusd, and child processes +ProtectControlGroups=true + +# don't load new kernel modules +ProtectKernelModules=true + +# don't tune kernel parameters +ProtectKernelTunables=true + +# Only allow native system calls +SystemCallArchitectures=native + +# We shouldn't be writing to the configuration directory +ReadOnlyDirectories=/etc/raddb/ + +# We can read and write to the log directory. +ReadWriteDirectories=/var/log/radius/ + +[Install] +WantedBy=multi-user.target |