RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1292626 - [selinux][tor] selinux prevents hidden services
Summary: [selinux][tor] selinux prevents hidden services
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-17 23:54 UTC by Jiri Belka
Modified: 2016-07-07 10:10 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-07 10:10:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jiri Belka 2015-12-17 23:54:17 UTC
Description of problem:

tor needs following to be able to serve hidden services:

allow tor_t self:capability { dac_read_search dac_override };

tor app directly from tor project rpm repos.

# grep 'denied.*tor' /var/log/audit/audit.log  | tail -n2 | audit2allow -a -w
type=AVC msg=audit(1450394533.559:551): avc:  denied  { dac_read_search } for  pid=4370 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1450394542.219:555): avc:  denied  { dac_override } for  pid=4380 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

# grep 'denied.*tor' /var/log/audit/audit.log  | tail -n2 | audit2allow -a -M tor_hidden_services
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i tor_hidden_services.pp

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch
tor-0.2.7.6-tor.1.rh7_1_1503.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install tor from https://www.torproject.org/docs/rpms.html.en
2. configure a hidden service
3. start tor

Actual results:
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Directory /var/lib/tor/sshd_service/ cannot be read: Permission denied
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [err] Reading config failed--see warnings above.
Dec 17 16:58:41 blablabla systemd[1]: tor.service: control process exited, code=exited status=5
Dec 17 16:58:41 blablabla systemd[1]: Failed to start SYSV: Onion Router - A low-latency anonymous proxy.

type=AVC msg=audit(1450394533.559:551): avc:  denied  { dac_read_search } for  pid=4370 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1450394542.219:555): avc:  denied  { dac_override } for  pid=4380 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability

Expected results:
should work by default

Additional info:

Comment 2 Lukas Vrabec 2016-03-17 10:28:53 UTC
Hi, 
Could you run:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

Then reproduce your issue and attach AVC msgs? 

Thank you!

Comment 5 Lukas Vrabec 2016-06-27 15:09:38 UTC
I would say there is problem with permissions on dir: /var/lib/tor/ovirt_service/

For more info see: http://danwalsh.livejournal.com/34903.html

Could you change permissions on that dir and try to reproduce the issue? 

Thank you.

Comment 6 Jiri Belka 2016-07-07 10:10:28 UTC
I can't reproduce with tor-0.2.7.6-5.el7.x86_64 and redhat-release-server-7.2-9.el7_2.1.x86_64 and selinux-policy-3.13.1-60.el7_2.7.noarch


Note You need to log in before you can comment on or make changes to this bug.