Bug 914853

Summary: Please make port 9150 tor_socks_port_t
Product: [Fedora] Fedora Reporter: Jamie Nguyen <jamielinux>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 23:34:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 915049    

Description Jamie Nguyen 2013-02-23 00:48:45 UTC 
The new Tor Browser Bundle and Torbutton default to 9150 as the Tor SOCKSPort, so could this please be added to default selinux policy? The current workaround is: semanage port -a -t tor_socks_port_t -p tcp 9150

Package versions:
selinux-policy-targeted-3.11.1-78.fc18
Comment 1 Daniel Walsh 2013-02-24 17:21:54 UTC 
I have checked a fix for this into rawhide.  e66a03a0774a527938f3b23e9a86c61f74570134
Comment 2 Jamie Nguyen 2013-02-24 17:24:07 UTC 
Excellent, thanks very much Dan. Just wondering, will F18 and F17 see this change too?
Comment 3 Miroslav Grepl 2013-02-25 14:20:58 UTC 
I see we have in the policy

tor_socks_port_t               tcp      9050
Comment 4 Jamie Nguyen 2013-02-25 21:40:07 UTC 
> I see we have in the policy
>
> tor_socks_port_t               tcp      9050


Yes. I am proposing that both 9050 and 9150 are tor_socks_port_t, as both can reasonably be expected for use as Tor SOCKSPorts.
Comment 5 Miroslav Grepl 2013-02-26 08:52:50 UTC 
Ah, you are talking about 9150.
Comment 6 Jamie Nguyen 2013-03-14 22:14:17 UTC 
Just wanted to query again about if/when this might find it's way into F18? I appreciate that there may be some kind of staging period in rawhide, but I'd really like to see this isolated 2-line change on F18:


--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -96491,7 +96491,7 @@
 +
 +
 +Default Defined Ports:
-+tcp 9050
++tcp 9050,9150
 +.EE
 +.SH "MANAGED FILES"
 +
@@ -114722,7 +114722,7 @@
  network_port(tftp, udp,69,s0)
 -network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
 +network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
-+network_port(tor_socks, tcp,9050,s0)
++network_port(tor_socks, tcp,9050,s0, tcp,9150,s0)
  network_port(traceroute, udp,64000-64010,s0)
 +network_port(tram, tcp, 4567, s0)
  network_port(transproxy, tcp,8081,s0)
Comment 10 Miroslav Grepl 2013-03-20 07:07:54 UTC 
Patch added.

commit 6e4575c899a0ab4bc6f7ee29567278e1b1398887
Author: Miroslav Grepl <mgrepl>
Date:   Wed Mar 20 08:07:36 2013 +0100

    Add tcp/9150 as tor_socks_port
Comment 11 Jamie Nguyen 2013-03-20 18:26:29 UTC 
Great, thanks very much Miroslav :)
Comment 12 Fedora Update System 2013-03-21 18:25:59 UTC 
selinux-policy-3.11.1-87.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-87.fc18
Comment 13 Fedora Update System 2013-03-22 21:13:01 UTC 
Package selinux-policy-3.11.1-87.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-87.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4251/selinux-policy-3.11.1-87.fc18
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-04-11 23:35:00 UTC 
selinux-policy-3.11.1-87.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.