| Summary: | Recent tor breaks hidden services | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Timo Schoeler <timo> |
| Component: | tor | Assignee: | Nobody's working on this, feel free to take it <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | misc, pwouters, s, timo |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tor-0.2.8.8-1.fc24 tor-0.2.8.8-1.fc25 tor-0.2.8.8-1.fc23 tor-0.2.8.8-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-04 18:49:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Timo Schoeler
2016-09-30 10:27:26 UTC
No AVC in audit.log, or selinux error ? Can you give the content of torrc ? I can't reproduce the error myself Also, can you verify if the permission of /var/lib/tor, etc seems good enough ? So I was wrong, i can reproduce the issue. That's likely a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1375369 but for epel7, can you verify the workaround I posted there and tell if that work for you ? (here, it lead to more selinux issue, so I am trying to see if I did forgot something) [user@tiger ~]$ sudo cat /etc/selinux/config [sudo] password for user: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [user@tiger ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 So the issue is definitly linked to various systemd service change, and quite similar to 1375369 . But the fix there is not sufficient, and I can't find what capabilities is missing on EL7. In fact, I even suspect I have hit a bug in systemd: # systemctl show tor.service |grep -i cap CapabilityBoundingSet=1216 # cp fix_rh_1375369.conf /etc/systemd/system/tor.service.d/ # systemctl daemon-reload # systemctl show tor.service |grep -i cap CapabilityBoundingSet=0 # cat fix_rh_1375369.conf [Service] CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE On a working system (on F24), the same file result into: # systemctl show tor.service |grep Capability CapabilityBoundingSet=1220 Ok so this look like https://github.com/systemd/systemd/issues/1221 I am gonna open a bug report on systemd package, but so in the mean time, the workaround would be to add CapabilityBoundingSet=CAP_DAC_READ_SEARCH in the file in /usr/lib (or somethinglike this) So the systemd bug: https://bugzilla.redhat.com/show_bug.cgi?id=1381057 Now, I guess I just need to find a proven packager to get this fixed on fedora and epel for good in tor. tor-0.2.8.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-881d78edf2 tor-0.2.8.8-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-69f1c1433b tor-0.2.8.8-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-877b55bdd7 tor-0.2.8.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1fce1e0993 I can confirm that https://kojipkgs.fedoraproject.org//packages/tor/0.2.8.8/1.el7/x86_64/tor-0.2.8.8-1.el7.x86_64.rpm fixes the problem on my machine. Thanks! tor-0.2.8.8-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. tor-0.2.8.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. tor-0.2.8.8-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. tor-0.2.8.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |