Re: tor_t: SELinux prevents tor from starting when using ControlSocket feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
Could you reproduce it in permissive mode? (I need all your AVCs)
Then I'll add this rules to tor policy in fedora and also RHEL.

On 04/10/2015 04:14 PM, Nusenu wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

if you make use of tor's ControlSocket feature, via config option
ControlSocket /var/lib/tor/foo/controlsocket

tor will fail to start with the following AVCs:


avc:  denied  { dac_override } for  pid=7224 comm="tor" capability=1
scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability
avc:  denied  { dac_read_search } for  pid=7224 comm="tor"
capability=2  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability

avc:  denied  { dac_override } for  pid=7226 comm="tor" capability=1
scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability
avc:  denied  { dac_read_search } for  pid=7226 comm="tor"
capability=2  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability

If you do not use the ControlSocket feature by removing that option
from the config file, tor starts up fine again.

Would be great if one could enable a boolean to allow that.

thanks!

Used policy:
selinux-policy-3.13.1-23.el7
selinux-policy-targeted-3.13.1-23.el7


-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVJ9rAAAoJEFv7XvVCELh0/zYQAItBbT3uCuEclOz9kkPMxhR7
/R/yj08ynlB4L3Zs4xUmhQGAaS+E2As3ScfoViA3B2ywNcXF4A4l93GGV/fxe94H
GQp6v/cq7WVmHhJE5BdeBJ7ThJRuWpGGNjW+Pko/F/CCnAskLq4TKTDTHpgtwid6
r5LsN5Le6ypOO8Cp6jMpDAPgnz3JnTF2Yo3cRhPe/+DvDl5HFPHnr/bWeunKrzT0
Unn2n45IUeSTn50wPznAmAIQj00hLoQJCtv1TeprVy3FsJjzRrUUwxkIYJsVr5Cf
EF7ZFMZkpAqHKT5TQRdHYZ18CjOZS/waPY/XI8+RoL7cqXBU95/UcRt3gjcY3O3W
mI42IsQqM9SzV3vr98qWTN7V3GfNUg1BlAYVqWGXG3jRBvyACoZVg2nI0nyUSXG2
k2U9YuOF4zbBvlAD//tHhzTmfisuSMNE6lVW9osIW09HPpiX3htF0yZ+8I1VfZle
xM/NNwui6HRK28tTgqHXQpLlpBckO+db5S4mjojvbuHrv9H1tU5E1oK3YYwoEzUT
U+yh9I34o5N5he8kEIFHFMufEMkfzBBNb4MhotATTKhvuPXeFWlqJ5F1kWYT6mL5
0abfKB2xsQq7jZKIQSmcatLat6c98S90ipLEPS6aBWNeDCObYgSwaQcOZEFGQ+62
mMkave25Hgsy/BJ7e6SV
=eNqK
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux