Bug 1496274
Summary: | SELinux policy provides no way for 'tor' to run its pluggable transports | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hedayat Vatankhah <hedayatv> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, mh+fedora, plautrba, pmoore, rastus.vernon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.2-15.fc29 selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:56:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Hedayat Vatankhah
2017-09-26 21:11:14 UTC
I'm going to add obfs4 transport to Fedora. This bug should be fixed so that this package will function properly when SELinux is enabled. The package is in its way to repositories. For now, I've created a COPR package with the above policy, but I hope it'll be properly fixed in Fedora soon. Apparently, in Fedora 27 it needs also 'map' permission: SELinux is preventing obfs4proxy from 'map' accesses on the file /usr/bin/obfs4proxy. Additional Information: Source Context system_u:system_r:tor_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/obfs4proxy [ file ] Source obfs4proxy Source Path obfs4proxy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages obfs4-0.0.7-1.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.10.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.8-300.fc27.x86_64 #1 SMP Wed Oct 18 15:32:19 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-10-22 01:34:42 +0330 Last Seen 2017-10-22 01:34:42 +0330 Local ID f3e71023-f57e-4485-a67d-68293fb0a9fb Raw Audit Messages type=AVC msg=audit(1508623482.392:509): avc: denied { map } for pid=9778 comm="obfs4proxy" path="/usr/bin/obfs4proxy" dev="sda9" ino=1744533 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: obfs4proxy,tor_t,bin_t,file,map If there is anything missing from the report, please let me know. This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |