Bug 1368621
Summary: | SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Hampton <error> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | ayurtsev, dominick.grift, dwalsh, fedora, hashim.muqtadir, jamielinux, joe, lewk, lvrabec, mgrepl, misc, ollran, plautrba, pwouters, reklov, s, xzj8b3 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:efbcc47b0eb234baf1b54cee584f6f1683fa04c7ae8049e49e8e745a13aa0870;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-191.20.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-10 03:29:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Hampton
2016-08-20 06:25:35 UTC
SELinux is preventing (tor) from mounton access on the directory /run/tor. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (tor) should be allowed mounton access on the tor directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(tor)' --raw | audit2allow -M my-tor # semodule -X 300 -i my-tor.pp Description of problem: When starting tor.service with systemd, there is an avc denial. Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport I miss Miroslav Grepl. Is he on vacation? Did he get in an accident? Did he have a death in the family? I hope he's ok. Of course, I also miss TOR too, which is why I miss Miroslav Grepl, to whom this ticket is assigned. Just curious, does Redhat have a succession plan in case something did happen to Miroslav Grepl? Unfortunately, the most I can do from this side of the screen is have my vicar light a candle for both him and tor. Here's wishing both return soon! Nice passive aggressive behaviour is always appreciated. Why/What is tor attemppting to mount on /var/tor? Or is this systemd creating a separate mount namespace? Lukas easiest way to fix this is to make tor_var_run_t a mount point, or just allow init_t to mount on all file types since this seems to be what is going to happening with the use of the mount namespace. Dan, Your question, I would say that system is creating mount namespace. I'm not sure if we would like to allow init_t to mount all file types. I incline to make tor_var_run_t as mountpoint. Joseph, If you would like to fix it ASAP see my blogpost: http://lvrabec-selinux.rhcloud.com/2016/09/19/creating-local-module-quickly-in-cil/ PS: Miroslav is doing well. So the fix is not sufficient, there is also other mount point to be marked, as seen on https://bugzilla.redhat.com/show_bug.cgi?id=1357395 (A PR have been opened too, https://github.com/fedora-selinux/selinux-policy/pull/156 ) selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3 selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |