On Mon, 2010-07-19 at 20:29 +0100, Mr Dash Four wrote: > Some progress made: > > dac_override and dac_read_search AVCs: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > These were triggered by wrong file/directory permission settings (too > restrictive - 600/700 not allowing 'root' access to these as the uid/gid > were not 'root'). I have corrected these by changing the group ids to > include root (uid: root, gid: ___tor). When this was done the above 2 > AVCs were gone - forever. > In order to find out what was causing these I had to switch more > detailed auditd logging with "auditctl -a exit,always -F dir=/apps" and > "auditctl -a exit,always -F dir=/usr" to see what is happening - very > handy auditd feature and solved the above issues as it logged every > syscall made to the above 2 directories (recursively!) enabling me to > see what went wrong. > > name_bind AVC: > ~~~~~~~~~~~~ > I also know how to correct the name_bind AVC, though the issue I have is > that this should be a permanent setting in the targeted policy (tor.te) > as the new version of tor (2.x) has its own dns resolving capabilities > and needs access/binding to udp/53. The policy makers of the 'targeted' > policy should be made aware of this. > > net_bind_service AVC: > ~~~~~~~~~~~~~~~~ > Here is my last query: net_bind_service capability (allowing binding to > ports < 1024) is also needed by tor's dns resolution service, though I > need to know is there a way to specify only port 53 as that is what is > needed by tor (tor does NOT need to bind to any other privileged port(s) > other than udp/53)? If you just want tor to bind to the dns port use these interfaces corenet_tcp_bind_dns_port(tor_t) corenet_udp_bind_dns_port(tor_t) Considering these interfaces contain the net_bind_service cap it seems like you will have to include it. However that isn't a concern since the statement here only will allow tor to bind to ports labeled dns_port_t. In this case tcp/udp 53. If you don't want tcp just include the second of the two interfaces only. > > I can get away without the above 2 AVCs provided I specify DNS > resolution to be done on unprivileged ports (say udp/5053 for example), > though don't know how is this going to be done in practice as I have no > idea how to force Linux in accepting its DNS resolution to look for > ports other than 53 (as far as I know 'resolv.conf' allows only hosts to > be specified, no ports - 53 is the assumed DNS resolution port adn that, > as far as I know, cannot be changed). > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
