Bug 443018

Summary: SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t)
Product: [Fedora] Fedora Reporter: John Chivall <john>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: jkubin, rh-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-20 07:28:43 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235705    

Description John Chivall 2008-04-18 03:58:45 EDT
Description of problem:
SElinux policy is preventing Tor service being started (default config).

(Tor can be run as normal user)

Version-Release number of selected component (if applicable):
tor-core-0.1.2.19-1.fc9
selinux-policy-3.3.1-35.fc9

How reproducible:
Always

Steps to Reproduce:
1. As root:
   # service tor start
  
Actual results:

Starting /usr/bin/tor: Apr 18 08:45:38.419 [notice] Tor v0.1.2.19. This is
experimental software. Do not rely on it for strong anonymity.
Apr 18 08:45:38.486 [warn] Error setting groups: Operation not permitted
Apr 18 08:45:38.492 [warn] Failed to parse/validate config: Problem with User or
Group value. See logs for details.
Apr 18 08:45:38.500 [err] Reading config failed--see warnings above.
                                                           [FAILED]

AVC denial: SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t)

Expected results:
Tor starts OK

Additional info:

From SELinux troubleshooter:
Summary
SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t).
Detailed Description
SELinux denied access requested by tor. It is not expected that this access is
required by tor and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access. 
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package. 
Additional Information
Source Context:  unconfined_u:system_r:tor_t:s0
Target Context:  unconfined_u:system_r:tor_t:s0
Target Objects:  None [ capability ]Source:  tor
Source Path:  /usr/bin/torPort:  <Unknown>
Host:  localhost.localdomain
Source RPM Packages:  tor-core-0.1.2.19-1.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-35.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.25-0.234.rc9.git1.fc9.i686 #1 SMP Tue
Apr 15 18:37:15 EDT 2008 i686 athlon
Alert Count:  1
First Seen:  Wed 16 Apr 2008 11:56:02 BST
Last Seen:  Fri 18 Apr 2008 08:35:11 BST
Local ID:  783e3e69-497f-479a-ad57-090c21704df0
Line Numbers:  
Raw Audit Messages :

host=localhost.localdomain type=AVC msg=audit(1208504111.305:27): avc: denied {
setuid } for pid=3074 comm="tor" capability=7
scontext=unconfined_u:system_r:tor_t:s0 tcontext=unconfined_u:system_r:tor_t:s0
tclass=capability 

host=localhost.localdomain type=SYSCALL msg=audit(1208504111.305:27):
arch=40000003 syscall=213 success=no exit=-1 a0=1ee a1=681934 a2=95c50f0
a3=bfdade60 items=0 ppid=3073 pid=3074 auid=500 uid=0 gid=491 euid=0 suid=0
fsuid=0 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="tor"
exe="/usr/bin/tor" subj=unconfined_u:system_r:tor_t:s0 key=(null) 

From torrc: (default config)
Group toranon
User  toranon

Group and user both exist.
Comment 1 Enrico Scholz 2008-04-18 05:37:51 EDT
reassigning from tor to selinux-policy...
Comment 4 Daniel Walsh 2008-04-20 07:28:43 EDT
Fixed in selinux-policy-3.3.1-37.fc9