tor and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm experimenting with tor hidden services and got it to work nicely on
my Centos7, with tor from epel. That is, until I booted the machine.
Then SELinux kicked in and in the logs there's 

[warn] Directory /var/lib/tor/hidden_service/ cannot be read:
Permission denied

The permissions are
drwx------.  2 toranon toranon    4096 Jan 28 23:39 hidden_service

And SELinux gives the following

SELinux is preventing /usr/bin/tor from using the dac_override
capability.

*****  Plugin dac_override (91.4 confidence)
suggests   **********************

If you want to help identify if domain needs this access or you have a
file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending
file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence)
suggests   **************************

If you believe that tor should have the dac_override capability by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tor' --raw | audit2allow -M my-tor
# semodule -i my-tor.pp


Additional Information:
Source Context                system_u:system_r:tor_t:s0
Target Context                system_u:system_r:tor_t:s0
Target Objects                Unknown [ capability ]
Source                        tor
Source Path                   /usr/bin/tor
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           tor-0.2.8.12-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host
Platform                      Linux host 3.10.0-514.6.1.el7.x86_64
                              #1 SMP Wed Jan 18 13:06:36 UTC 2017
x86_64 x86_64
Alert Count                   5
First Seen                    2017-01-29 22:42:46 EST
Last Seen                     2017-01-29 22:42:51 EST
Local ID                      51ceb58e-19cf-4f8f-ab1e-fe48265aaf1d

Raw Audit Messages
type=AVC msg=audit(1485747771.709:106): avc:  denied  { dac_override }
for  pid=2253 comm="tor"
capability=1  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability


type=AVC msg=audit(1485747771.709:106): avc:  denied  { dac_read_search
} for  pid=2253 comm="tor"
capability=2  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability


type=SYSCALL msg=audit(1485747771.709:106): arch=x86_64 syscall=open
success=no exit=EACCES a0=7fcd2c12fe90 a1=20000 a2=0 a3=1 items=0
ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tor
exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null)

Hash: tor,tor_t,tor_t,capability,dac_override


As I don't know what dac_override is I don't know if it's a good idea
to give it to tor and the confidence seems quite low. 

Cheers
Mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux