It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.
Add su radiusd:radiusd
to all log sections in /etc/logrotate.d/radiusd.
By keeping SELinux in "Enforcing" mode, radiusd user will be limited in the directories he can write to.