Bug 1333969

Summary: SELinux preventing tor from read access on the file unix
Product: [Fedora] Fedora Reporter: Paul DeStefano <prd-fedora>
Component: torAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: misc, pfrields, pwouters, s
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-02 17:56:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul DeStefano 2016-05-06 20:41:27 UTC 
Description of problem:
I noticed this new AVC after manually restarting tor service, today.  I did this after upgrading openssl, thinking it might be necessary.

Raw Audit Messages
type=AVC msg=audit(1462562511.162:394642): avc:  denied  { read } for  pid=2789 comm="tor" name="unix" dev="proc" ino=4026532020 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

Hash: tor,tor_t,proc_net_t,file,read

Version-Release number of selected component (if applicable):
tor-0.2.7.6-5.fc23.x86_64
selinux-policy-3.13.1-158.15.fc23.noarch

How reproducible:
Not sure, 1/1 times, so far.

Steps to Reproduce:
1.  systemctl restart tor.service

Actual results:
SELinux generates AVC

Expected results:
No AVC

Additional info:
Source Context                system_u:system_r:tor_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                unix [ file ]
Source                        tor
Source Path                   tor
Port                          <Unknown>
Host                          wrangler
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.15.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     wrangler
Platform                      Linux wrangler 4.4.6-301.fc23.x86_64 #1 SMP Wed
                              Mar 30 16:43:58 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-05-06 12:21:51 PDT
Last Seen                     2016-05-06 12:21:51 PDT
Local ID                      6e3f3668-3e80-4c0e-bd33-a4cb9a9480ae
Comment 1 Jamie Nguyen 2016-05-08 21:12:08 UTC 
Thanks for your bug report!

Unfortunately, I haven't been able to reproduce your problem. Can you please attach a copy of your /etc/tor/torrc file?
Comment 2 Paul DeStefano 2016-05-08 22:30:18 UTC 
You're welcome, no problem.  I'm sorry, too; I think his is the second time a brought you a configuration issue.

Hmm, I bet it's syslog.  Do you think tor will have the capability to log to the journal, soon?

Here is my redacted torrc.  I hope this is okay.

ControlSocket /run/tor/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile /run/tor/control.authcookie
CookieAuthFileGroupReadable 1
SOCKSPort 0 # what port to open for local application connections
SOCKSListenAddress 127.0.0.1 # accept connections only from localhost
Log notice syslog
DataDirectory /var/lib/tor
ORPort 9001
ORListenAddress <local if ip>
OutboundBindAddress <local if ip>
Address <externally resolvable hostname>
Nickname <nickname>
RelayBandwidthRate 180 KBytes
RelayBandwidthBurst 240 KBytes
ExitPolicy reject *:*
MaxMemInQueues 2048 MBytes
User  toranon
NumCPUS 2
Comment 3 Jamie Nguyen 2016-06-05 18:00:23 UTC 
Is this still happening when you restart Tor?
Comment 4 Paul DeStefano 2016-06-13 04:03:51 UTC 
Hi Jamie,

I'm not sure.  Looks like I restarted it on 22 May and sealert doesn't show any new events for it.  So, maybe not.

I'll be sure to check after upgrade to 24, which I'm expecting soon.

(Odd. I don't think I got e-mail about your bug post.)
Comment 5 Paul DeStefano 2016-06-28 04:06:43 UTC 
I've upgraded to F24 and rebooted a couple times since my last update.  No recurrences to report.
Comment 6 Michael S. 2016-10-02 17:56:51 UTC 
So, closing this bug, per #5. Please reopen if I misunderstood the comment.
Comment 7 Paul DeStefano 2016-10-02 18:10:18 UTC 
Hi Michael,

Sorry for the confusion.  I actually think this is a duplicate of the other SELinux tor bug.  I still have four SELinux local policy modules installed to get tor to run.  I think you are working on a patch for that.

*** This bug has been marked as a duplicate of bug 1357395 ***
Comment 8 Paul DeStefano 2016-10-02 18:25:45 UTC 
Ah rats.  Okay, I got this mixed up with the other one.  I don't think it's related and I don't have that AVC anymore.