Bug 2012006

Summary: Tor AVC denied on f35 after upgrade
Product: [Fedora] Fedora Reporter: Matthieu Saulnier <casper>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 35CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-35.19-1.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-02 02:43:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthieu Saulnier 2021-10-07 22:47:06 UTC 
Description of problem:
Tor configured as router + relay is hitting AVC denied after upgrade from f34 to f35 (Fedora Server)



AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 07/10/2021 07:42:15 tor system_u:system_r:tor_t:s0 0 filesystem getattr system_u:object_r:cgroup_t:s0 denied 601
2. 07/10/2021 07:42:15 tor system_u:system_r:tor_t:s0 0 filesystem getattr system_u:object_r:fs_t:s0 denied 602
3. 07/10/2021 07:44:43 tor system_u:system_r:tor_t:s0 0 filesystem getattr system_u:object_r:cgroup_t:s0 denied 1335
4. 07/10/2021 07:44:43 tor system_u:system_r:tor_t:s0 0 filesystem getattr system_u:object_r:fs_t:s0 denied 1336



type=AVC msg=audit(1633585335.809:601): avc:  denied  { getattr } for  pid=1881 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1633585335.809:602): avc:  denied  { getattr } for  pid=1881 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1633585483.740:1335): avc:  denied  { getattr } for  pid=2905 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1633585483.740:1336): avc:  denied  { getattr } for  pid=2905 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1



Version-Release number of selected component (if applicable):
# rpm -q tor selinux-policy-targeted selinux-policy         
tor-0.4.6.7-1.fc35.x86_64
selinux-policy-targeted-34.21-1.fc35.noarch
selinux-policy-34.21-1.fc35.noarch

# getenforce 
Permissive
Comment 1 Fedora Update System 2022-09-16 09:00:48 UTC 
FEDORA-2022-b6f216be9a has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b6f216be9a
Comment 2 Fedora Update System 2022-09-17 01:43:20 UTC 
FEDORA-2022-b6f216be9a has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-b6f216be9a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b6f216be9a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2022-10-02 02:43:02 UTC 
FEDORA-2022-b6f216be9a has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.