Bug 1292626 - [selinux][tor] selinux prevents hidden services
Summary: [selinux][tor] selinux prevents hidden services
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-17 23:54 UTC by Jiri Belka
Modified: 2016-07-07 10:10 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-07 10:10:28 UTC


Attachments (Terms of Use)

Description Jiri Belka 2015-12-17 23:54:17 UTC
Description of problem:

tor needs following to be able to serve hidden services:

allow tor_t self:capability { dac_read_search dac_override };

tor app directly from tor project rpm repos.

# grep 'denied.*tor' /var/log/audit/audit.log  | tail -n2 | audit2allow -a -w
type=AVC msg=audit(1450394533.559:551): avc:  denied  { dac_read_search } for  pid=4370 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1450394542.219:555): avc:  denied  { dac_override } for  pid=4380 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

# grep 'denied.*tor' /var/log/audit/audit.log  | tail -n2 | audit2allow -a -M tor_hidden_services
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i tor_hidden_services.pp

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch
tor-0.2.7.6-tor.1.rh7_1_1503.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install tor from https://www.torproject.org/docs/rpms.html.en
2. configure a hidden service
3. start tor

Actual results:
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Directory /var/lib/tor/sshd_service/ cannot be read: Permission denied
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details
Dec 17 16:58:41 blablabla tor[3196]: Dec 17 16:58:41.696 [err] Reading config failed--see warnings above.
Dec 17 16:58:41 blablabla systemd[1]: tor.service: control process exited, code=exited status=5
Dec 17 16:58:41 blablabla systemd[1]: Failed to start SYSV: Onion Router - A low-latency anonymous proxy.

type=AVC msg=audit(1450394533.559:551): avc:  denied  { dac_read_search } for  pid=4370 comm="tor" capability=2  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1450394542.219:555): avc:  denied  { dac_override } for  pid=4380 comm="tor" capability=1  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability

Expected results:
should work by default

Additional info:

Comment 2 Lukas Vrabec 2016-03-17 10:28:53 UTC
Hi, 
Could you run:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

Then reproduce your issue and attach AVC msgs? 

Thank you!

Comment 5 Lukas Vrabec 2016-06-27 15:09:38 UTC
I would say there is problem with permissions on dir: /var/lib/tor/ovirt_service/

For more info see: http://danwalsh.livejournal.com/34903.html

Could you change permissions on that dir and try to reproduce the issue? 

Thank you.

Comment 6 Jiri Belka 2016-07-07 10:10:28 UTC
I can't reproduce with tor-0.2.7.6-5.el7.x86_64 and redhat-release-server-7.2-9.el7_2.1.x86_64 and selinux-policy-3.13.1-60.el7_2.7.noarch


Note You need to log in before you can comment on or make changes to this bug.