1311788 – SELinux is preventing /usr/bin/tor from using the 'net_admin' capabilities.

Bug 1311788 - SELinux is preventing /usr/bin/tor from using the 'net_admin' capabilities.

Summary: SELinux is preventing /usr/bin/tor from using the 'net_admin' capabilities.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	25
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:7bc0d4a61bc87c987466081a858...
Duplicates (1):	1324658 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-25 01:07 UTC by Andrew Cook
Modified:	2016-08-17 03:03 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-183.fc25 selinux-policy-3.13.1-208.fc25
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-17 03:03:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andrew Cook 2016-02-25 01:07:54 UTC

Description of problem:
AVC denial upon starting tor

it... seems to work regardless? i'd assume net_admin is set for binding ports < 1024 but there's no apparent need for it
SELinux is preventing /usr/bin/tor from using the 'net_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tor should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:tor_t:s0
Target Context                system_u:system_r:tor_t:s0
Target Objects                Unknown [ capability ]
Source                        tor
Source Path                   /usr/bin/tor
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           tor-0.2.7.6-6.fc24.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-171.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc5.git0.1.fc24.x86_64 #1
                              SMP Sun Feb 21 22:39:46 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-02-25 12:03:06 AEDT
Last Seen                     2016-02-25 12:03:06 AEDT
Local ID                      b6491a5d-3df9-4176-8664-6b4b399b0d61

Raw Audit Messages
type=AVC msg=audit(1456362186.891:586): avc:  denied  { net_admin } for  pid=12589 comm="tor" capability=12  scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability permissive=0


type=SYSCALL msg=audit(1456362186.891:586): arch=x86_64 syscall=setsockopt success=no exit=EPERM a0=3 a1=1 a2=20 a3=7ffdb468a6c0 items=0 ppid=1 pid=12589 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null)

Hash: tor,tor_t,tor_t,capability,net_admin

Version-Release number of selected component:
selinux-policy-3.13.1-171.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc5.git0.1.fc24.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2016-02-25 15:11:58 UTC

Hi, 
Is everything working without this allow rule, or is something broken with tor?

Comment 2 Andrew Cook 2016-02-25 22:54:56 UTC

Haven't noticed anything broken, but i only rarely use it to test things from a remote ip address

Comment 3 Daniel Walsh 2016-04-07 20:01:30 UTC

*** Bug 1324658 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2016-04-07 20:02:04 UTC

Did tor seem to work correctly.  I have a feeling this can be dontaudited.

Comment 5 Lukas Vrabec 2016-04-11 15:20:13 UTC

Agree.

Comment 6 Jan Kurik 2016-07-26 04:38:17 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 7 Fedora Update System 2016-08-12 14:17:56 UTC

selinux-policy-3.13.1-208.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1

Comment 8 Fedora Update System 2016-08-12 15:56:26 UTC

selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1

Comment 9 Fedora Update System 2016-08-17 03:02:16 UTC

selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.