Bug 1368621
| Summary: | SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael Hampton <error> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | ayurtsev, dominick.grift, dwalsh, fedora, hashim.muqtadir, jamielinux, joe, lewk, lvrabec, mgrepl, misc, ollran, plautrba, pwouters, reklov, s, xzj8b3 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:efbcc47b0eb234baf1b54cee584f6f1683fa04c7ae8049e49e8e745a13aa0870;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-191.20.fc24 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-10 03:29:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux is preventing (tor) from mounton access on the directory /run/tor.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that (tor) should be allowed mounton access on the tor directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(tor)' --raw | audit2allow -M my-tor
# semodule -X 300 -i my-tor.pp
Description of problem: When starting tor.service with systemd, there is an avc denial. Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport I miss Miroslav Grepl. Is he on vacation? Did he get in an accident? Did he have a death in the family? I hope he's ok. Of course, I also miss TOR too, which is why I miss Miroslav Grepl, to whom this ticket is assigned. Just curious, does Redhat have a succession plan in case something did happen to Miroslav Grepl? Unfortunately, the most I can do from this side of the screen is have my vicar light a candle for both him and tor. Here's wishing both return soon! Nice passive aggressive behaviour is always appreciated. Why/What is tor attemppting to mount on /var/tor? Or is this systemd creating a separate mount namespace? Lukas easiest way to fix this is to make tor_var_run_t a mount point, or just allow init_t to mount on all file types since this seems to be what is going to happening with the use of the mount namespace. Dan, Your question, I would say that system is creating mount namespace. I'm not sure if we would like to allow init_t to mount all file types. I incline to make tor_var_run_t as mountpoint. Joseph, If you would like to fix it ASAP see my blogpost: http://lvrabec-selinux.rhcloud.com/2016/09/19/creating-local-module-quickly-in-cil/ PS: Miroslav is doing well. So the fix is not sufficient, there is also other mount point to be marked, as seen on https://bugzilla.redhat.com/show_bug.cgi?id=1357395 (A PR have been opened too, https://github.com/fedora-selinux/selinux-policy/pull/156 ) selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (tor) should be allowed mounton access on the tor directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(tor)' --raw | audit2allow -M my-tor # semodule -X 300 -i my-tor.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:tor_var_run_t:s0 Target Objects /run/tor [ dir ] Source (tor) Source Path (tor) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages tor-0.2.7.6-6.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.10.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-08-20 02:24:37 EDT Last Seen 2016-08-20 02:24:37 EDT Local ID b3ccfaea-42c2-4e27-94c0-1af2246fe44a Raw Audit Messages type=AVC msg=audit(1471674277.852:11619): avc: denied { mounton } for pid=508 comm="(tor)" path="/run/tor" dev="tmpfs" ino=26675 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0 Hash: (tor),init_t,tor_var_run_t,dir,mounton Version-Release number of selected component: selinux-policy-3.13.1-191.10.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.6-300.fc24.x86_64 type: libreport