Some progress made: dac_override and dac_read_search AVCs: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These were triggered by wrong file/directory permission settings (too restrictive - 600/700 not allowing 'root' access to these as the uid/gid were not 'root'). I have corrected these by changing the group ids to include root (uid: root, gid: ___tor). When this was done the above 2 AVCs were gone - forever. In order to find out what was causing these I had to switch more detailed auditd logging with "auditctl -a exit,always -F dir=/apps" and "auditctl -a exit,always -F dir=/usr" to see what is happening - very handy auditd feature and solved the above issues as it logged every syscall made to the above 2 directories (recursively!) enabling me to see what went wrong. name_bind AVC: ~~~~~~~~~~~~ I also know how to correct the name_bind AVC, though the issue I have is that this should be a permanent setting in the targeted policy (tor.te) as the new version of tor (2.x) has its own dns resolving capabilities and needs access/binding to udp/53. The policy makers of the 'targeted' policy should be made aware of this. net_bind_service AVC: ~~~~~~~~~~~~~~~~ Here is my last query: net_bind_service capability (allowing binding to ports < 1024) is also needed by tor's dns resolution service, though I need to know is there a way to specify only port 53 as that is what is needed by tor (tor does NOT need to bind to any other privileged port(s) other than udp/53)? I can get away without the above 2 AVCs provided I specify DNS resolution to be done on unprivileged ports (say udp/5053 for example), though don't know how is this going to be done in practice as I have no idea how to force Linux in accepting its DNS resolution to look for ports other than 53 (as far as I know 'resolv.conf' allows only hosts to be specified, no ports - 53 is the assumed DNS resolution port adn that, as far as I know, cannot be changed). -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
