Bug 844097
Summary: | SELinux is preventing /usr/bin/tor from 'search' accesses on the directory kernel. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ron Gonzalez <Lcstyle> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, jeff.raber, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:95e1335bf181f0c6403ff573c4d040a576b4933ab4abc4e134aa15a86960c587 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-20 15:17:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ron Gonzalez
2012-07-28 21:27:49 UTC
Fixed in selinux-policy-3.10.0-143.fc17.noarch selinux-policy-3.10.0-145.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-145.fc17 Package selinux-policy-3.10.0-145.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-145.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11591/selinux-policy-3.10.0-145.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-145.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Miroslav, I am seeing this AVC on a fully updated F17 with selinux-policy-3.10.0-161.fc17 The avc seems to be triggered each time I start the tor service ('systemctl start tor.service'). tor seems to be working just fine without the access. Raw Audit Messages type=AVC msg=audit(1354690388.483:1949): avc: denied { search } for pid=12289 comm="tor" name="kernel" dev="proc" ino=8104 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=SYSCALL msg=audit(1354690388.483:1949): arch=x86_64 syscall=open success=no exit=EACCES a0=3f418384e4 a1=80000 a2=0 a3=ff items=0 ppid=1 pid=12289 auid=4294967295 uid=991 gid=984 euid=991 suid=991 fsuid=991 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null) To gather some additional data, I stopped the tor service ('systemctl stop tor.service'), put SELinux into permissive mode ('setenforce 0'), then started the tor service ('systemctl start tor.service'). The following avcs were logged: Raw Audit Messages type=AVC msg=audit(1354764654.287:2525): avc: denied { search } for pid=2089 comm="tor" name="kernel" dev="proc" ino=8104 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=AVC msg=audit(1354764654.287:2525): avc: denied { read } for pid=2089 comm="tor" name="uuid" dev="proc" ino=10497653 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1354764654.287:2525): avc: denied { open } for pid=2089 comm="tor" path="/proc/sys/kernel/random/uuid" dev="proc" ino=10497653 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=SYSCALL msg=audit(1354764654.287:2525): arch=x86_64 syscall=open success=yes exit=EPROTOTYPE a0=3f418384e4 a1=80000 a2=0 a3=fd items=0 ppid=1 pid=2089 auid=4294967295 uid=991 gid=984 euid=991 suid=991 fsuid=991 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null) Added. commit c00f31fb8f9d5656c3aec17cad1542e7663de8e1 Author: Miroslav Grepl <mgrepl> Date: Thu Dec 6 10:49:54 2012 +0100 Allow tor to read /proc/sys/kernel/random/uuid selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17 Package selinux-policy-3.10.0-165.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-145.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |