This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1292626 - [selinux][tor] selinux prevents hidden services
[selinux][tor] selinux prevents hidden services
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
low Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-17 18:54 EST by Jiri Belka
Modified: 2016-07-07 06:10 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-07 06:10:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Belka 2015-12-17 18:54:17 EST
Description of problem:

tor needs following to be able to serve hidden services:

allow tor_t self:capability { dac_read_search dac_override };

tor app directly from tor project rpm repos.

# grep 'denied.*tor' /var/log/audit/audit.log  | tail -n2 | audit2allow -a -w
type=AVC msg=audit(1450394533.559:551): avc:  denied  { dac_read_search } for  pid=4370 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1450394542.219:555): avc:  denied  { dac_override } for  pid=4380 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

# grep 'denied.*tor' /var/log/audit/audit.log  | tail -n2 | audit2allow -a -M tor_hidden_services
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i tor_hidden_services.pp

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch
tor-0.2.7.6-tor.1.rh7_1_1503.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install tor from https://www.torproject.org/docs/rpms.html.en
2. configure a hidden service
3. start tor

Actual results:
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Directory /var/lib/tor/sshd_service/ cannot be read: Permission denied
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [err] Reading config failed--see warnings above.
Dec 17 16:58:41 blablabla systemd[1]: tor.service: control process exited, code=exited status=5
Dec 17 16:58:41 blablabla systemd[1]: Failed to start SYSV: Onion Router - A low-latency anonymous proxy.

type=AVC msg=audit(1450394533.559:551): avc:  denied  { dac_read_search } for  pid=4370 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1450394542.219:555): avc:  denied  { dac_override } for  pid=4380 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability

Expected results:
should work by default

Additional info:
Comment 2 Lukas Vrabec 2016-03-17 06:28:53 EDT
Hi, 
Could you run:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

Then reproduce your issue and attach AVC msgs? 

Thank you!
Comment 5 Lukas Vrabec 2016-06-27 11:09:38 EDT
I would say there is problem with permissions on dir: /var/lib/tor/ovirt_service/

For more info see: http://danwalsh.livejournal.com/34903.html

Could you change permissions on that dir and try to reproduce the issue? 

Thank you.
Comment 6 Jiri Belka 2016-07-07 06:10:28 EDT
I can't reproduce with tor-0.2.7.6-5.el7.x86_64 and redhat-release-server-7.2-9.el7_2.1.x86_64 and selinux-policy-3.13.1-60.el7_2.7.noarch

Note You need to log in before you can comment on or make changes to this bug.