Bug 1496274
| Summary: | SELinux policy provides no way for 'tor' to run its pluggable transports | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Hedayat Vatankhah <hedayatv> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, mh+fedora, plautrba, pmoore, rastus.vernon |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.2-15.fc29 selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-09-12 02:56:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I'm going to add obfs4 transport to Fedora. This bug should be fixed so that this package will function properly when SELinux is enabled. The package is in its way to repositories. For now, I've created a COPR package with the above policy, but I hope it'll be properly fixed in Fedora soon. Apparently, in Fedora 27 it needs also 'map' permission:
SELinux is preventing obfs4proxy from 'map' accesses on the file /usr/bin/obfs4proxy.
Additional Information:
Source Context system_u:system_r:tor_t:s0
Target Context system_u:object_r:bin_t:s0
Target Objects /usr/bin/obfs4proxy [ file ]
Source obfs4proxy
Source Path obfs4proxy
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages obfs4-0.0.7-1.fc27.x86_64
Policy RPM selinux-policy-3.13.1-283.10.fc27.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.13.8-300.fc27.x86_64 #1 SMP Wed
Oct 18 15:32:19 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-10-22 01:34:42 +0330
Last Seen 2017-10-22 01:34:42 +0330
Local ID f3e71023-f57e-4485-a67d-68293fb0a9fb
Raw Audit Messages
type=AVC msg=audit(1508623482.392:509): avc: denied { map } for pid=9778 comm="obfs4proxy" path="/usr/bin/obfs4proxy" dev="sda9" ino=1744533 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Hash: obfs4proxy,tor_t,bin_t,file,map
If there is anything missing from the report, please let me know. This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Tor supports 'pluggable transports', and a common method to use them is to configure tor to run the plugin which is a regular binary (e.g. obfs4proxy). However, the default SELinux policy doesn't allow tor to run any binaries, and I didn't find any suitable label to make it work. Using the audit2allow command, I created the following policy which enables tor to run any binaries: ---------------------------------------------- module my-tor 1.0; require { type tor_t; type bin_t; class file { execute execute_no_trans }; } #============= tor_t ============== allow tor_t bin_t:file { execute execute_no_trans }; ---------------------------------------------- Anyway, we need a way to let tor run its pluggable transports. Either the above policy should be added to selinux-policy-targeted or a new tor-selinux package, or we should be able to use a special SELinux label on the binaries which we want tor to be able to run.