import freeradius-3.0.17-3.module+el8+2746+2e560403

.freeradius.metadata

@@ -0,0 +1 @@
+a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2

.gitignore

@@ -0,0 +1 @@
+SOURCES/freeradius-server-3.0.17.tar.bz2

SOURCES/freeradius-Add-missing-option-descriptions.patch

@@ -0,0 +1,97 @@
+From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Fri, 14 Sep 2018 12:20:11 +0300
+Subject: [PATCH] man: Add missing option descriptions
+
+---
+ man/man8/raddebug.8 | 4 ++++
+ man/man8/radiusd.8  | 7 +++++++
+ man/man8/radmin.8   | 4 ++++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
+index 66e80e64fa..6e27e2453c 100644
+--- a/man/man8/raddebug.8
++++ b/man/man8/raddebug.8
+@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
+ .IR condition ]
+ .RB [ \-d
+ .IR config_directory ]
++.RB [ \-D
++.IR dictionary_directory ]
+ .RB [ \-n
+ .IR name ]
+ .RB [ \-i
+@@ -73,6 +75,8 @@ option is equivalent to using:
+ .IP "\-d \fIconfig directory\fP"
+ The radius configuration directory, usually /etc/raddb.  See the
+ \fIradmin\fP manual page for more description of this option.
++.IP "\-D \fIdictionary directory\fP"
++Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+ .IP "\-n \fImname\fP"
+ Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+ .IP \-I\ \fIipv6-address\fP
+diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
+index c825f22d0d..98aef5e1be 100644
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
+ .RB [ \-C ]
+ .RB [ \-d
+ .IR config_directory ]
++.RB [ \-D
++.IR dictionary_directory ]
+ .RB [ \-f ]
+ .RB [ \-h ]
+ .RB [ \-i
+@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
+ .IR name ]
+ .RB [ \-p
+ .IR port ]
++.RB [ \-P ]
+ .RB [ \-s ]
+ .RB [ \-t ]
+ .RB [ \-v ]
+@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
+ .IP "\-d \fIconfig directory\fP"
+ Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
+ files such as the \fIdictionary\fP and the \fIusers\fP files.
++.IP "\-D \fIdictionary directory\fP"
++Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+ .IP \-f
+ Do not fork, stay running as a foreground process.
+ .IP \-h
+@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
+ \fIradiusd.conf\fP are ignored.
+ 
+ This option MUST be used in conjunction with "-i".
++.IP "\-P
++Always write out PID, even with -f.
+ .IP \-s
+ Run in "single server" mode.  The server normally runs with multiple
+ threads and/or processes, which can lower its response time to
+diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
+index 5ecc963d81..5bf661fa71 100644
+--- a/man/man8/radmin.8
++++ b/man/man8/radmin.8
+@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
+ .B radmin
+ .RB [ \-d
+ .IR config_directory ]
++.RB [ \-D
++.IR dictionary_directory ]
+ .RB [ \-e
+ .IR command ]
+ .RB [ \-E ]
+@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
+ Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
+ configuration files to find the "listen" section that defines the
+ control socket filename.
++.IP "\-D \fIdictionary directory\fP"
++Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+ .IP "\-e \fIcommand\fP"
+ Run \fIcommand\fP and exit.
+ .IP \-E
+-- 
+2.18.0
+

SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch

@@ -0,0 +1,60 @@
+From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 8 Sep 2014 12:32:13 +0300
+Subject: [PATCH] Adjust configuration to fit Red Hat specifics
+
+---
+ raddb/mods-available/eap | 4 ++--
+ raddb/radiusd.conf.in    | 7 +++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 2621e183c..94494b2c6 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -472,7 +472,7 @@ eap {
+ 			#
+ 			#  You should also delete all of the files
+ 			#  in the directory when the server starts.
+-	#		tmpdir = /tmp/radiusd
++	#		tmpdir = /var/run/radiusd/tmp
+ 
+ 			#  The command used to verify the client cert.
+ 			#  We recommend using the OpenSSL command-line
+@@ -486,7 +486,7 @@ eap {
+ 			#  in PEM format.  This file is automatically
+ 			#  deleted by the server when the command
+ 			#  returns.
+-	#		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
++	#		client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ 		}
+ 
+ 		#
+diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
+index a83c1f687..e500cf97b 100644
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
+ cadir   = ${confdir}/certs
+ run_dir = ${localstatedir}/run/${name}
+ 
+-# Should likely be ${localstatedir}/lib/radiusd
+-db_dir = ${raddbdir}
++db_dir = ${localstatedir}/lib/radiusd
+ 
+ #
+ # libdir: Where to find the rlm_* modules.
+@@ -398,8 +397,8 @@ security {
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-#	user = radius
+-#	group = radius
++	user = radiusd
++	group = radiusd
+ 
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.
+-- 
+2.13.2
+

SOURCES/freeradius-OpenSSL-HMAC-MD5.patch

@@ -0,0 +1,68 @@
+From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Sep 2018 09:54:46 -0400
+Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
+
+If OpenSSL EVP is not found, fallback to internal implementation of
+HMAC-MD5.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
+index 2c662ff368..1cca00fa2a 100644
+--- a/src/lib/hmacmd5.c
++++ b/src/lib/hmacmd5.c
+@@ -27,10 +27,41 @@
+
+ RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+
++#ifdef HAVE_OPENSSL_EVP_H
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#endif
++
+ #include <freeradius-devel/libradius.h>
+ #include <freeradius-devel/md5.h>
+
+-/** Calculate HMAC using MD5
++#ifdef HAVE_OPENSSL_EVP_H
++/** Calculate HMAC using OpenSSL's MD5 implementation
++ *
++ * @param digest Caller digest to be filled in.
++ * @param text Pointer to data stream.
++ * @param text_len length of data stream.
++ * @param key Pointer to authentication key.
++ * @param key_len Length of authentication key.
++ *
++ */
++void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
++		 uint8_t const *key, size_t key_len)
++{
++	HMAC_CTX *ctx  = HMAC_CTX_new();
++
++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
++	/* Since MD5 is not allowed by FIPS, explicitly allow it. */
++	HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
++
++	HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
++	HMAC_Update(ctx, text, text_len);
++	HMAC_Final(ctx, digest, NULL);
++	HMAC_CTX_free(ctx);
++}
++#else
++/** Calculate HMAC using internal MD5 implementation
+  *
+  * @param digest Caller digest to be filled in.
+  * @param text Pointer to data stream.
+@@ -101,6 +132,7 @@
+ 					      * hash */
+ 	fr_md5_final(digest, &context);	  /* finish up 2nd pass */
+ }
++#endif /* HAVE_OPENSSL_EVP_H */
+
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):

SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch

@@ -0,0 +1,73 @@
+From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Sep 2018 11:03:52 -0400
+Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
+
+If OpenSSL EVP is not found, fallback to internal implementation of
+HMAC-SHA1.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
+index c3cbd87a2c..211470ea35 100644
+--- a/src/lib/hmacsha1.c
++++ b/src/lib/hmacsha1.c
+@@ -10,13 +10,19 @@
+
+ RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+
++#ifdef HAVE_OPENSSL_EVP_H
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#endif
++
+ #include <freeradius-devel/libradius.h>
+
+ #ifdef HMAC_SHA1_DATA_PROBLEMS
+ unsigned int sha1_data_problems = 0;
+ #endif
+
+-/** Calculate HMAC using SHA1
++#ifdef HAVE_OPENSSL_EVP_H
++/** Calculate HMAC using OpenSSL's SHA1 implementation
+  *
+  * @param digest Caller digest to be filled in.
+  * @param text Pointer to data stream.
+@@ -28,6 +34,26 @@
+ void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ 		  uint8_t const *key, size_t key_len)
+ {
++	HMAC_CTX *ctx  = HMAC_CTX_new();
++	HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
++	HMAC_Update(ctx, text, text_len);
++	HMAC_Final(ctx, digest, NULL);
++	HMAC_CTX_free(ctx);
++}
++
++#else
++
++/** Calculate HMAC using internal SHA1 implementation
++ *
++ * @param digest Caller digest to be filled in.
++ * @param text Pointer to data stream.
++ * @param text_len length of data stream.
++ * @param key Pointer to authentication key.
++ * @param key_len Length of authentication key.
++ */
++void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
++		  uint8_t const *key, size_t key_len)
++{
+ 	fr_sha1_ctx context;
+ 	uint8_t k_ipad[65];    /* inner padding - key XORd with ipad */
+ 	uint8_t k_opad[65];    /* outer padding - key XORd with opad */
+@@ -142,6 +168,7 @@
+ 	}
+ #endif
+ }
++#endif /* HAVE_OPENSSL_EVP_H */
+
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):

SOURCES/freeradius-Use-system-crypto-policy-by-default.patch

@@ -0,0 +1,76 @@
+From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 26 Sep 2016 19:48:36 +0300
+Subject: [PATCH] Use system crypto policy by default
+
+---
+ raddb/mods-available/eap        | 2 +-
+ raddb/mods-available/inner-eap  | 2 +-
+ raddb/sites-available/abfab-tls | 2 +-
+ raddb/sites-available/tls       | 4 ++--
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 94494b2c6..9a8dc9327 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -323,7 +323,7 @@ eap {
+ 		#
+ 		# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ 		#
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		# If enabled, OpenSSL will use server cipher list
+ 		# (possibly defined by cipher_list option above)
+diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
+index 2b4df6267..af9aa88cd 100644
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -68,7 +68,7 @@ eap inner-eap {
+ 		#  certificates.  If so, edit this file.
+ 		ca_file = ${cadir}/ca.pem
+ 
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  You may want to set a very small fragment size.
+ 		#  The TLS data here needs to go inside of the
+diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
+index 5dbe143da..46b5fea78 100644
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -19,7 +19,7 @@ listen {
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		cache {
+ 			enable = no
+diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
+index cf1cd7a8a..7dd59cb6f 100644
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -197,7 +197,7 @@ listen {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		# If enabled, OpenSSL will use server cipher list
+ 		# (possibly defined by cipher_list option above)
+@@ -499,7 +499,7 @@ home_server tls {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 	}
+ 
+ }
+-- 
+2.13.2
+

SOURCES/freeradius-logrotate

@@ -0,0 +1,51 @@
+# You can use this to rotate the /var/log/radius/* files, simply copy
+# it to /etc/logrotate.d/radiusd
+
+# There are different detail-rotating strategies you can use.  One is
+# to write to a single detail file per IP and use the rotate config
+# below.  Another is to write to a daily detail file per IP with:
+#     detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+# (or similar) in radiusd.conf, without rotation.  If you go with the
+# second technique, you will need another cron job that removes old
+# detail files.  You do not need to comment out the below for method #2.
+/var/log/radius/radacct/*/detail {
+	monthly
+	rotate 4
+	nocreate
+	missingok
+	compress
+}
+
+/var/log/radius/checkrad.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+}
+
+/var/log/radius/radius.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+	postrotate
+		/usr/bin/systemctl reload-or-try-restart radiusd
+	endscript
+}
+
+/var/log/radius/radwtmp {
+	monthly
+	rotate 4
+	create
+	compress
+	missingok
+}
+/var/log/radius/sqltrace.sql {
+        monthly
+        rotate 4
+        create
+        compress
+        missingok
+}

SOURCES/freeradius-man-Fix-some-typos.patch

@@ -0,0 +1,94 @@
+From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Fri, 14 Sep 2018 11:53:28 +0300
+Subject: [PATCH] man: Fix some typos
+
+---
+ man/man5/radrelay.conf.5 | 2 +-
+ man/man5/rlm_files.5     | 2 +-
+ man/man5/unlang.5        | 8 ++++----
+ man/man8/radrelay.8      | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
+index 5fb38bfc4e..e3e665024b 100644
+--- a/man/man5/radrelay.conf.5
++++ b/man/man5/radrelay.conf.5
+@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
+ backup server. When the primary goes down, most NASes detect that and
+ switch to the backup server.
+ 
+-That will cause your accounting packets to go the the backup server -
++That will cause your accounting packets to go to the backup server -
+ and some NASes don't even switch back to the primary server when it
+ comes back up.
+ 
+diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
+index bfee5030ff..52f4734ae3 100644
+--- a/man/man5/rlm_files.5
++++ b/man/man5/rlm_files.5
+@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
+ perform per-group checks, and return per-group attributes, where the
+ group membership is dynamically defined by a previous module.  It also
+ lets you do things like key off of attributes in the reply, and
+-express policies like like "when I send replies containing attribute
++express policies like "when I send replies containing attribute
+ FOO with value BAR, do more checks, and maybe send additional
+ attributes".
+ .SH CONFIGURATION
+diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
+index 76db8f2d1c..12fe7855b2 100644
+--- a/man/man5/unlang.5
++++ b/man/man5/unlang.5
+@@ -36,7 +36,7 @@ the pre-defined keywords here.
+ 
+ Subject to a few limitations described below, any keyword can appear
+ in any context.  The language consists of a series of entries, each
+-one one line.  Each entry begins with a keyword.  Entries are
++one line.  Each entry begins with a keyword.  Entries are
+ organized into lists.  Processing of the language is line by line,
+ from the start of the list to the end.  Actions are executed
+ per-keyword.
+@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below.  The match is
+ then performed on the string returned from the expansion.  If the
+ argument is an attribute reference (e.g. &User-Name), then the match
+ is performed on the value of that attribute.  Otherwise, the argument
+-is taken to be a literal string, and and matching is done via simple
++is taken to be a literal string, and matching is done via simple
+ comparison.
+ 
+ No statement other than "case" can appear in a "switch" block.
+@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below.  The match is
+ then performed on the string returned from the expansion.  If the
+ argument is an attribute reference (e.g. &User-Name), then the match
+ is performed on the value of that attribute.  Otherwise, the argument
+-is taken to be a literal string, and and matching is done via simple
++is taken to be a literal string, and matching is done via simple
+ comparison.
+ 
+ .DS
+@@ -799,7 +799,7 @@ regular expression.  If no attribute matches, nothing else is done.
+ The value can be an attribute reference, or an attribute-specific
+ string.
+ 
+-When the value is an an attribute reference, it must take the form of
++When the value is an attribute reference, it must take the form of
+ "&Attribute-Name".  The leading "&" signifies that the value is a
+ reference.  The "Attribute-Name" is an attribute name, such as
+ "User-Name" or "request:User-Name".  When an attribute reference is
+diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
+index fdba6995d5..99e65732a2 100644
+--- a/man/man8/radrelay.8
++++ b/man/man8/radrelay.8
+@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
+ backup server. When the primary goes down, most NASes detect that and
+ switch to the backup server.
+ 
+-That will cause your accounting packets to go the the backup server -
++That will cause your accounting packets to go to the backup server -
+ and some NASes don't even switch back to the primary server when it
+ comes back up.
+ 
+-- 
+2.18.0
+

SOURCES/freeradius-pam-conf

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       include	password-auth
+account    required	pam_nologin.so
+account    include	password-auth
+password   include	password-auth
+session    include	password-auth

SOURCES/freeradius-python2-shebangs.patch

@@ -0,0 +1,64 @@
+From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Thu, 18 Oct 2018 12:40:53 -0400
+Subject: [PATCH] Clarify shebangs to be python2
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ scripts/radtee                         | 2 +-
+ src/modules/rlm_python/example.py      | 2 +-
+ src/modules/rlm_python/prepaid.py      | 2 +-
+ src/modules/rlm_python/radiusd.py      | 2 +-
+ src/modules/rlm_python/radiusd_test.py | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/scripts/radtee b/scripts/radtee
+index 123769d244..78b4bcbe0b 100755
+--- a/scripts/radtee
++++ b/scripts/radtee
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python2
+ from __future__ import with_statement 
+ 
+ # RADIUS comparison tee v1.0
+diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
+index 5950a07678..eaf456e349 100644
+--- a/src/modules/rlm_python/example.py
++++ b/src/modules/rlm_python/example.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Python module example file
+ # Miguel A.L. Paraz <mparaz@mparaz.com>
+diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
+index c3cbf57b8f..3b1dc2e2e8 100644
+--- a/src/modules/rlm_python/prepaid.py
++++ b/src/modules/rlm_python/prepaid.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Example Python module for prepaid usage using MySQL
+ 
+diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
+index c535bb3caf..7129923994 100644
+--- a/src/modules/rlm_python/radiusd.py
++++ b/src/modules/rlm_python/radiusd.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Definitions for RADIUS programs
+ #
+diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
+index 13b7128b29..97b5b64f08 100644
+--- a/src/modules/rlm_python/radiusd_test.py
++++ b/src/modules/rlm_python/radiusd_test.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Python module test
+ # Miguel A.L. Paraz <mparaz@mparaz.com>

SOURCES/freeradius-tmpfiles.conf

@@ -0,0 +1 @@
+D /var/run/radiusd 0710 radiusd radiusd -

SOURCES/radiusd.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=FreeRADIUS high performance RADIUS server.
+After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/radiusd/radiusd.pid
+ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -d /etc/raddb
+ExecReload=/usr/sbin/radiusd -C
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target