Bug 1250893

Summary: Cannot use hidden services (maybe because of selinux)
Product: [Fedora] Fedora Reporter: Grégoire <gregoire>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: aminux, dwalsh, jamielinux, lmacken, msaulnier, pwouters, setthemfree, s
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-24 20:35:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Grégoire 2015-08-06 09:04:38 UTC 
Description of problem:
On fedora 22 with updated packages, tor cannot read /lib/var/tor/hidden_service/

Version-Release number of selected component (if applicable): 0.2.6.10-1.fc22

How reproducible:
Easy

Steps to Reproduce:
1. dnf install tor
2. in /etc/torrc un-comment the section about hidden services
3. systemctl start tor

Actual results:
Tor fails to start

Expected results:
tor should start correctly

Additional info:
Relevant journal messages:

Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.786 [notice] Read configuration file "/usr/share/tor/defaults-torrc".
Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.786 [notice] Read configuration file "/etc/tor/torrc".
Aug 06 11:00:07 *** audit[2832]: <audit-1400> avc:  denied  { dac_override } for  pid=2832 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0
Aug 06 11:00:07 *** audit[2832]: <audit-1400> avc:  denied  { dac_read_search } for  pid=2832 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0
Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.790 [warn] Directory /var/lib/tor/ssh-chat/ cannot be read: Permission denied
Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.790 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.791 [err] Reading config failed--see warnings above.
Aug 06 11:00:07 *** systemd[1]: tor.service: control process exited, code=exited status=255
Aug 06 11:00:07 *** systemd[1]: Failed to start Anonymizing overlay network for TCP.
Comment 1 Matthieu Saulnier 2015-08-16 11:29:46 UTC 
Tor fail to start because of a wrong SELinux policy.


journactl :

août 16 13:23:01 mosquito systemd[1]: Starting Anonymizing overlay network for TCP...
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.072 [notice] Tor v0.2.6.10 (git-58c51dc6087b0936) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k-fips and Zlib 1.2.8.
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.075 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.077 [notice] Read configuration file "/usr/share/tor/defaults-torrc".
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.079 [notice] Read configuration file "/etc/tor/torrc".
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.107 [warn] Directory /var/lib/tor/hidden_service1 cannot be read: Permission denied
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.110 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.113 [err] Reading config failed--see warnings above.
août 16 13:23:01 mosquito systemd[1]: tor.service: control process exited, code=exited status=255
août 16 13:23:01 mosquito systemd[1]: Failed to start Anonymizing overlay network for TCP.
août 16 13:23:01 mosquito systemd[1]: Unit tor.service entered failed state.
août 16 13:23:01 mosquito systemd[1]: tor.service failed.
août 16 13:23:01 mosquito systemd[1]: tor.service holdoff time over, scheduling restart.
août 16 13:23:01 mosquito systemd[1]: start request repeated too quickly for tor.service
août 16 13:23:01 mosquito systemd[1]: Failed to start Anonymizing overlay network for TCP.
août 16 13:23:01 mosquito systemd[1]: Unit tor.service entered failed state.
août 16 13:23:01 mosquito systemd[1]: tor.service failed.


SELinux AVC list:

# aureport -a -ts today
39. 16/08/2015 13:23:01 tor system_u:system_r:tor_t:s0 4 capability dac_override system_u:system_r:tor_t:s0 denied 658
40. 16/08/2015 13:23:01 tor system_u:system_r:tor_t:s0 4 capability dac_read_search system_u:system_r:tor_t:s0 denied 658


If you switch SELinux in permissive mode, tor will start properlly. Also SELinux will produce AVC error for 'dac_override' only.


(permissive mode)
42. 16/08/2015 13:25:10 tor system_u:system_r:tor_t:s0 4 capability dac_override system_u:system_r:tor_t:s0 denied 664
43. 16/08/2015 13:25:10 tor system_u:system_r:tor_t:s0 4 capability dac_override system_u:system_r:tor_t:s0 denied 666
Comment 2 Matthieu Saulnier 2015-08-16 11:33:15 UTC 
Reassigning ticket to selinux-policy-targeted component
Comment 3 Matthieu Saulnier 2015-08-16 11:49:13 UTC 
Adding raw messages from audit.log:


type=SYSCALL msg=audit(1439724181.101:658): arch=c000003e syscall=4 success=no exit=-13 a0=564e14c66f70 a1=7ffdda00c7a0 a2=7ffdda00c7a0 a3=0 items=0 ppid=1 pid=32734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor" exe="/usr/bin/tor" subj=system_u:system_r:tor_t:s0 key=(null)

type=AVC msg=audit(1439724181.101:658): avc:  denied  { dac_read_search } for  pid=32734 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0

type=AVC msg=audit(1439724181.101:658): avc:  denied  { dac_override } for  pid=32734 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0
Comment 4 Amin 2015-11-24 17:36:32 UTC 
I confirm this bug on Fedora 23 x86, upgraded from Fedora 21 (by DNF system-upgrade plugin) and updated fully with installed tor.i686 0.2.6.10-6.fc23 .

# uname -r
4.2.6-300.fc23.i686+PAE

* When i place HiddenService private_key file directly to /var/lib/tor and fix /etc/tor/torrc, tor-daemon start correctly and my hidden service work fine.

* When i place private_key file into subdirectory /var/lib/tor/hidden_service1 (and fix torrc), TOR never start and i see this in cmdline&

Job for tor.service failed because the control process exited with error code. See "systemctl status tor.service" and "journalctl -xe" for details.

and in journalctl:

[warn] Directory /var/lib/tor/hidden_service1 cannot be read: Permission denied
[warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
[err] Reading config failed--see warnings above.

Remarks:
* Disable SELinux not help - i try `setenforce 0` and `restorecon -R /var/lib/tor`, but this not work.
* I check permissions and owners, setting like parent directory - also no result.


My /etc/tor/torrc:
------------------------------------------------
ControlPort <DELETED>
HashedControlPassword  <DELETED>

ORPort 9001
DirPort 9030

HiddenServiceDir /var/lib/tor/hidden_service1
HiddenServicePort 80 127.0.0.1:8080

OutboundBindAddress <DELETED>

Nickname <DELETED>

ContactInfo <DELETED>

ExitRelay 0
ExitPolicy reject *:*
------------------------------------------------

Permissions for Hidden Service files:
------------------------------------------------
# ls -la /var/lib/tor/hidden_service1/

drwx------. 2 toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 4096 Nov 23 12:14 .
drwx------. 6 toranon root    system_u:object_r:tor_var_lib_t:s0     4096 Nov 24 20:16 ..
-rw-------. 1 toranon toranon unconfined_u:object_r:tor_var_lib_t:s0   23 Nov 16 03:23 hostname
-rw-------. 1 toranon toranon unconfined_u:object_r:tor_var_lib_t:s0  887 Sep 25  2014 private_key

------------------------------------------------
Comment 5 Amin 2015-11-24 17:47:10 UTC 
I also check SystemD unit and try fix Hardening section, parameter ReadWriteDirectories, but also no result:

# cat /usr/lib/systemd/system/tor.service      
[Unit]
Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=30
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768

# Hardening
PrivateTmp=yes
DeviceAllow=/dev/null rw
DeviceAllow=/dev/urandom r
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/var/lib/tor
ReadWriteDirectories=/var/lib/tor/hidden_service1
ReadWriteDirectories=/var/log/tor
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE

[Install]
WantedBy = multi-user.target
Comment 6 Jamie Nguyen 2015-11-24 20:35:05 UTC 

*** This bug has been marked as a duplicate of bug 1279222 ***