Bug 1369584

Summary: SELinux is preventing (tor) from mounton access on the directory /run/tor
Product: [Fedora] Fedora Reporter: Juan Orti <jorti>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: dominick.grift, dwalsh, esm, joe, lvrabec, mgrepl, misc, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-25 10:48:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Orti 2016-08-23 20:48:57 UTC 
Description of problem:

SELinux is preventing (tor) from mounton access on the directory /run/tor.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (tor) should be allowed mounton access on the tor directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(tor)' --raw | audit2allow -M my-tor
# semodule -X 300 -i my-tor.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tor_var_run_t:s0
Target Objects                /run/tor [ dir ]
Source                        (tor)
Source Path                   (tor)
Port                          <Unknown>
Host                          argon
Source RPM Packages           
Target RPM Packages           tor-0.2.7.6-6.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-191.12.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     argon
Platform                      Linux argon 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug
                              10 21:07:35 UTC 2016 x86_64 x86_64
Alert Count                   7683
First Seen                    2016-08-23 00:46:04 CEST
Last Seen                     2016-08-23 22:44:19 CEST
Local ID                      886dcb45-1e8b-410e-afeb-263bba6691ac

Raw Audit Messages
type=AVC msg=audit(1471985059.894:26186): avc:  denied  { mounton } for  pid=3861 comm="(tor)" path="/run/tor" dev="tmpfs" ino=17042 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0


Hash: (tor),init_t,tor_var_run_t,dir,mounton


# ls -laZ /run/tor
total 0
drwxr-x---.  2 toranon toranon system_u:object_r:tor_var_run_t:s0   40 ago 23 09:31 .
drwxr-xr-x. 45 root    root    system_u:object_r:var_run_t:s0     1320 ago 23 10:31 ..

# ls -laZ /usr/bin/tor
-rwxr-xr-x. 1 root root system_u:object_r:tor_exec_t:s0 2296304 feb  5  2016 /usr/bin/tor


Additional info:
# rpm -q tor
tor-0.2.7.6-6.fc24.x86_64
# rpm -q selinux-policy
selinux-policy-3.13.1-191.12.fc24.noarch
Comment 1 Joseph D. Wagner 2016-08-29 06:51:00 UTC 
SELinux is preventing (tor) from mounton access on the directory /run/tor.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If you believe that (tor) should be allowed mounton access on the tor directory by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c '(tor)' --raw | audit2allow -M my-tor
                                                     # semodule -X 300 -i my-tor.pp
Comment 2 Joseph D. Wagner 2016-08-31 13:52:44 UTC 
SELinux is preventing (tor) from mounton access on the directory /run/tor.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that (tor) should be allowed mounton access on the tor directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(tor)' --raw | audit2allow -M my-tor
# semodule -X 300 -i my-tor.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:tor_var_run_t:s0
Target Objects /run/tor [ dir ]
Source (tor)
Source Path (tor)
Port
Host localhost.localdomain
Source RPM Packages
Target RPM Packages tor-0.2.7.6-6.fc24.x86_64
Policy RPM selinux-policy-3.13.1-191.13.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.6.7-300.fc24.x86_64
#1 SMP Wed Aug 17 18:48:43 UTC 2016 x86_64 x86_64
Alert Count 30
First Seen 2016-08-28 23:39:19 PDT
Last Seen 2016-08-31 06:51:10 PDT
Local ID 91be2f81-508f-455a-bd33-e0cdabf3173a

Raw Audit Messages
type=AVC msg=audit(1472651470.375:264): avc: denied { mounton } for pid=3273 comm="(tor)" path="/run/tor" dev="tmpfs" ino=23655 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0


Hash: (tor),init_t,tor_var_run_t,dir,mounton
Comment 3 Michael S. 2016-09-25 10:48:00 UTC 

*** This bug has been marked as a duplicate of bug 1357395 ***