Bug 2089486

Summary: Tor with DNSPort
Product: Red Hat Enterprise Linux 9 Reporter: lejeczek <peljasz>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: low    
Version: CentOS StreamCC: bstinson, jwboyer, lvrabec, mmalik, nknazeko, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.41-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: Missing policy rule to allow tor bind UDP sockets to all ports Consequence: SELinux prevents tor to name_bind DNSport Fix: Update tor_bind_all_unreserved_ports interface to allow tor bind UDP sockets to all ports > 1024. Result: No AVC
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:13:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lejeczek 2022-05-23 19:30:27 UTC 
Description of problem:

Hi guys.

These:
semanage port -a -p tcp -t tor_port_t 5553
setsebool -P tor_bind_all_unreserved_ports 1

do not seem enough for Tor with:

DNSPort 5553

I still get:

allow tor_t tor_port_t:udp_socket name_bind;

perhaps more.
It'd be great to have policy account for such Tor.

many thanks

Version-Release number of selected component (if applicable):

selinux-policy-34.1.31-2.el9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2022-06-02 12:46:06 UTC 
Hi,

The tor_bind_all_unreserved_ports boolean effects only tcp ports. Is it an option for you to label the port dns_port_t instead?

rhel91# sesearch -A -s tor_t -t dns_port_t -c udp_socket -p name_bind
allow tor_t dns_port_t:udp_socket name_bind;
Comment 2 lejeczek 2022-06-07 09:56:59 UTC 
I can, as anybody do that, generate custom module, etc. - still - something like a boolean could/should cover this, for the sake of all users & out-of-box.
thanks, L
Comment 10 errata-xmlrpc 2022-11-15 11:13:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283