Bug 915049

Summary: SELinux is preventing /usr/bin/tor from 'name_bind' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: Richard A. Hogaboom <richard.hogaboom>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, jamielinux, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:fa991927a4898b22c4946f46e0648eec6ca81f9aedf603602542a1a6e287b902
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-25 13:16:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 914853    
Bug Blocks:    
Attachments:
Description Flags
File: screencast-1.ogv
none
File: screencast.ogv none

Description Richard A. Hogaboom 2013-02-24 12:54:54 UTC 
Description of problem:
https://jamielinux.com/articles/2013/01/tor-and-tor-browser-repository-on-fedora/

Instructions for Tor on Fedora 18 fail with SELinux.
SELinux is preventing /usr/bin/tor from 'name_bind' accesses on the tcp_socket .

*****  Plugin bind_ports (85.9 confidence) suggests  *************************

If you want to allow /usr/bin/tor to bind to network port 9150
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 9150
    where PORT_TYPE is one of the following: tor_port_t, tor_socks_port_t.

*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow tor daemon to bind tcp sockets to all unreserved ports.
Then you must tell SELinux about this by enabling the 'tor_bind_all_unreserved_ports' boolean.
You can read 'tor_selinux' man page for more details.
Do
setsebool -P tor_bind_all_unreserved_ports 1

*****  Plugin catchall (1.35 confidence) suggests  ***************************

If you believe that tor should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:tor_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        tor
Source Path                   /usr/bin/tor
Port                          9150
Host                          (removed)
Source RPM Packages           tor-0.2.3.25-5.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-81.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.8-202.fc18.x86_64 #1 SMP Fri
                              Feb 15 17:33:07 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-02-24 07:27:40 EST
Last Seen                     2013-02-24 07:27:41 EST
Local ID                      50aa6765-ac07-4024-9060-9f521766e361

Raw Audit Messages
type=AVC msg=audit(1361708861.100:394): avc:  denied  { name_bind } for  pid=26990 comm="tor" src=9150 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1361708861.100:394): arch=x86_64 syscall=bind success=no exit=EACCES a0=7 a1=7ffb26f98090 a2=10 a3=7fffccb9c334 items=0 ppid=1 pid=26990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null)

Hash: tor,tor_t,unreserved_port_t,tcp_socket,name_bind

audit2allow

#============= tor_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, tor_bind_all_unreserved_ports

allow tor_t unreserved_port_t:tcp_socket name_bind;

audit2allow -R

#============= tor_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, tor_bind_all_unreserved_ports

allow tor_t unreserved_port_t:tcp_socket name_bind;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.8-202.fc18.x86_64
type:           libreport
Comment 1 Richard A. Hogaboom 2013-02-24 12:55:00 UTC 
Created attachment 702001 [details]
File: screencast-1.ogv
Comment 2 Richard A. Hogaboom 2013-02-24 12:55:05 UTC 
Created attachment 702002 [details]
File: screencast.ogv
Comment 3 Jamie Nguyen 2013-02-24 13:00:04 UTC 
The solution is here:
https://bugzilla.redhat.com/show_bug.cgi?id=914853

OT: Also Richard, that repository included an update for selinux-policy that fixes this. Did "yum update" not pull that in for you?
Comment 4 Miroslav Grepl 2013-02-25 13:16:01 UTC 
*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1



*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow tor daemon to bind tcp sockets to all unreserved ports.
Then you must tell SELinux about this by enabling the 'tor_bind_all_unreserved_ports' boolean.
You can read 'tor_selinux' man page for more details.
Do
setsebool -P tor_bind_all_unreserved_ports 1