Description of problem: On fedora 22 with updated packages, tor cannot read /lib/var/tor/hidden_service/ Version-Release number of selected component (if applicable): 0.2.6.10-1.fc22 How reproducible: Easy Steps to Reproduce: 1. dnf install tor 2. in /etc/torrc un-comment the section about hidden services 3. systemctl start tor Actual results: Tor fails to start Expected results: tor should start correctly Additional info: Relevant journal messages: Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.786 [notice] Read configuration file "/usr/share/tor/defaults-torrc". Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.786 [notice] Read configuration file "/etc/tor/torrc". Aug 06 11:00:07 *** audit[2832]: <audit-1400> avc: denied { dac_override } for pid=2832 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0 Aug 06 11:00:07 *** audit[2832]: <audit-1400> avc: denied { dac_read_search } for pid=2832 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0 Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.790 [warn] Directory /var/lib/tor/ssh-chat/ cannot be read: Permission denied Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.790 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. Aug 06 11:00:07 *** tor[2832]: Aug 06 11:00:07.791 [err] Reading config failed--see warnings above. Aug 06 11:00:07 *** systemd[1]: tor.service: control process exited, code=exited status=255 Aug 06 11:00:07 *** systemd[1]: Failed to start Anonymizing overlay network for TCP.
Tor fail to start because of a wrong SELinux policy. journactl : août 16 13:23:01 mosquito systemd[1]: Starting Anonymizing overlay network for TCP... août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.072 [notice] Tor v0.2.6.10 (git-58c51dc6087b0936) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k-fips and Zlib 1.2.8. août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.075 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.077 [notice] Read configuration file "/usr/share/tor/defaults-torrc". août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.079 [notice] Read configuration file "/etc/tor/torrc". août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.107 [warn] Directory /var/lib/tor/hidden_service1 cannot be read: Permission denied août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.110 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. août 16 13:23:01 mosquito tor[32734]: Aug 16 13:23:01.113 [err] Reading config failed--see warnings above. août 16 13:23:01 mosquito systemd[1]: tor.service: control process exited, code=exited status=255 août 16 13:23:01 mosquito systemd[1]: Failed to start Anonymizing overlay network for TCP. août 16 13:23:01 mosquito systemd[1]: Unit tor.service entered failed state. août 16 13:23:01 mosquito systemd[1]: tor.service failed. août 16 13:23:01 mosquito systemd[1]: tor.service holdoff time over, scheduling restart. août 16 13:23:01 mosquito systemd[1]: start request repeated too quickly for tor.service août 16 13:23:01 mosquito systemd[1]: Failed to start Anonymizing overlay network for TCP. août 16 13:23:01 mosquito systemd[1]: Unit tor.service entered failed state. août 16 13:23:01 mosquito systemd[1]: tor.service failed. SELinux AVC list: # aureport -a -ts today 39. 16/08/2015 13:23:01 tor system_u:system_r:tor_t:s0 4 capability dac_override system_u:system_r:tor_t:s0 denied 658 40. 16/08/2015 13:23:01 tor system_u:system_r:tor_t:s0 4 capability dac_read_search system_u:system_r:tor_t:s0 denied 658 If you switch SELinux in permissive mode, tor will start properlly. Also SELinux will produce AVC error for 'dac_override' only. (permissive mode) 42. 16/08/2015 13:25:10 tor system_u:system_r:tor_t:s0 4 capability dac_override system_u:system_r:tor_t:s0 denied 664 43. 16/08/2015 13:25:10 tor system_u:system_r:tor_t:s0 4 capability dac_override system_u:system_r:tor_t:s0 denied 666
Reassigning ticket to selinux-policy-targeted component
Adding raw messages from audit.log: type=SYSCALL msg=audit(1439724181.101:658): arch=c000003e syscall=4 success=no exit=-13 a0=564e14c66f70 a1=7ffdda00c7a0 a2=7ffdda00c7a0 a3=0 items=0 ppid=1 pid=32734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor" exe="/usr/bin/tor" subj=system_u:system_r:tor_t:s0 key=(null) type=AVC msg=audit(1439724181.101:658): avc: denied { dac_read_search } for pid=32734 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1439724181.101:658): avc: denied { dac_override } for pid=32734 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0
I confirm this bug on Fedora 23 x86, upgraded from Fedora 21 (by DNF system-upgrade plugin) and updated fully with installed tor.i686 0.2.6.10-6.fc23 . # uname -r 4.2.6-300.fc23.i686+PAE * When i place HiddenService private_key file directly to /var/lib/tor and fix /etc/tor/torrc, tor-daemon start correctly and my hidden service work fine. * When i place private_key file into subdirectory /var/lib/tor/hidden_service1 (and fix torrc), TOR never start and i see this in cmdline& Job for tor.service failed because the control process exited with error code. See "systemctl status tor.service" and "journalctl -xe" for details. and in journalctl: [warn] Directory /var/lib/tor/hidden_service1 cannot be read: Permission denied [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. [err] Reading config failed--see warnings above. Remarks: * Disable SELinux not help - i try `setenforce 0` and `restorecon -R /var/lib/tor`, but this not work. * I check permissions and owners, setting like parent directory - also no result. My /etc/tor/torrc: ------------------------------------------------ ControlPort <DELETED> HashedControlPassword <DELETED> ORPort 9001 DirPort 9030 HiddenServiceDir /var/lib/tor/hidden_service1 HiddenServicePort 80 127.0.0.1:8080 OutboundBindAddress <DELETED> Nickname <DELETED> ContactInfo <DELETED> ExitRelay 0 ExitPolicy reject *:* ------------------------------------------------ Permissions for Hidden Service files: ------------------------------------------------ # ls -la /var/lib/tor/hidden_service1/ drwx------. 2 toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 4096 Nov 23 12:14 . drwx------. 6 toranon root system_u:object_r:tor_var_lib_t:s0 4096 Nov 24 20:16 .. -rw-------. 1 toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 23 Nov 16 03:23 hostname -rw-------. 1 toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 887 Sep 25 2014 private_key ------------------------------------------------
I also check SystemD unit and try fix Hardening section, parameter ReadWriteDirectories, but also no result: # cat /usr/lib/systemd/system/tor.service [Unit] Description = Anonymizing overlay network for TCP After = syslog.target network.target nss-lookup.target [Service] Type=notify NotifyAccess=all ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT TimeoutSec=30 Restart=on-failure WatchdogSec=1m LimitNOFILE=32768 # Hardening PrivateTmp=yes DeviceAllow=/dev/null rw DeviceAllow=/dev/urandom r ProtectHome=yes ProtectSystem=full ReadOnlyDirectories=/ ReadWriteDirectories=/var/lib/tor ReadWriteDirectories=/var/lib/tor/hidden_service1 ReadWriteDirectories=/var/log/tor CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE [Install] WantedBy = multi-user.target
*** This bug has been marked as a duplicate of bug 1279222 ***