Bug 1292626
| Summary: | [selinux][tor] selinux prevents hidden services | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jiri Belka <jbelka> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WORKSFORME | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.2 | CC: | jbelka, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-07 10:10:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, Could you run: # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart Then reproduce your issue and attach AVC msgs? Thank you! I would say there is problem with permissions on dir: /var/lib/tor/ovirt_service/ For more info see: http://danwalsh.livejournal.com/34903.html Could you change permissions on that dir and try to reproduce the issue? Thank you. I can't reproduce with tor-0.2.7.6-5.el7.x86_64 and redhat-release-server-7.2-9.el7_2.1.x86_64 and selinux-policy-3.13.1-60.el7_2.7.noarch |
Description of problem: tor needs following to be able to serve hidden services: allow tor_t self:capability { dac_read_search dac_override }; tor app directly from tor project rpm repos. # grep 'denied.*tor' /var/log/audit/audit.log | tail -n2 | audit2allow -a -w type=AVC msg=audit(1450394533.559:551): avc: denied { dac_read_search } for pid=4370 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1450394542.219:555): avc: denied { dac_override } for pid=4380 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. # grep 'denied.*tor' /var/log/audit/audit.log | tail -n2 | audit2allow -a -M tor_hidden_services ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i tor_hidden_services.pp Version-Release number of selected component (if applicable): selinux-policy-3.13.1-60.el7.noarch tor-0.2.7.6-tor.1.rh7_1_1503.x86_64 How reproducible: 100% Steps to Reproduce: 1. install tor from https://www.torproject.org/docs/rpms.html.en 2. configure a hidden service 3. start tor Actual results: Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Directory /var/lib/tor/sshd_service/ cannot be read: Permission denied Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [err] Reading config failed--see warnings above. Dec 17 16:58:41 blablabla systemd[1]: tor.service: control process exited, code=exited status=5 Dec 17 16:58:41 blablabla systemd[1]: Failed to start SYSV: Onion Router - A low-latency anonymous proxy. type=AVC msg=audit(1450394533.559:551): avc: denied { dac_read_search } for pid=4370 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability type=AVC msg=audit(1450394542.219:555): avc: denied { dac_override } for pid=4380 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability Expected results: should work by default Additional info: