Bug 1368621 - SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor.
Summary: SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:efbcc47b0eb234baf1b54cee584...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-20 06:25 UTC by Michael Hampton
Modified: 2016-11-10 03:29 UTC (History)
17 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-10 03:29:32 UTC


Attachments (Terms of Use)

Description Michael Hampton 2016-08-20 06:25:35 UTC
Description of problem:
SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (tor) should be allowed mounton access on the tor directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(tor)' --raw | audit2allow -M my-tor
# semodule -X 300 -i my-tor.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tor_var_run_t:s0
Target Objects                /run/tor [ dir ]
Source                        (tor)
Source Path                   (tor)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           tor-0.2.7.6-6.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-191.10.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.6.6-300.fc24.x86_64 #1 SMP Wed
                              Aug 10 21:07:35 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-08-20 02:24:37 EDT
Last Seen                     2016-08-20 02:24:37 EDT
Local ID                      b3ccfaea-42c2-4e27-94c0-1af2246fe44a

Raw Audit Messages
type=AVC msg=audit(1471674277.852:11619): avc:  denied  { mounton } for  pid=508 comm="(tor)" path="/run/tor" dev="tmpfs" ino=26675 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0


Hash: (tor),init_t,tor_var_run_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.13.1-191.10.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.6-300.fc24.x86_64
type:           libreport

Comment 1 Joseph D. Wagner 2016-08-29 06:50:53 UTC
SELinux is preventing (tor) from mounton access on the directory /run/tor.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If you believe that (tor) should be allowed mounton access on the tor directory by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c '(tor)' --raw | audit2allow -M my-tor
                                                     # semodule -X 300 -i my-tor.pp

Comment 2 sedrubal 2016-09-03 12:25:08 UTC
Description of problem:
When starting tor.service with systemd, there is an avc denial.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
type:           libreport

Comment 3 Joseph D. Wagner 2016-09-21 05:56:33 UTC
I miss Miroslav Grepl.  Is he on vacation?  Did he get in an accident?  Did he have a death in the family?  I hope he's ok.

Of course, I also miss TOR too, which is why I miss Miroslav Grepl, to whom this ticket is assigned.

Just curious, does Redhat have a succession plan in case something did happen to Miroslav Grepl?  Unfortunately, the most I can do from this side of the screen is have my vicar light a candle for both him and tor.

Here's wishing both return soon!

Comment 4 Daniel Walsh 2016-09-21 12:55:10 UTC
Nice passive aggressive behaviour is always appreciated.

Comment 5 Daniel Walsh 2016-09-21 12:56:00 UTC
Why/What is tor attemppting to mount on /var/tor?  Or is this systemd creating a separate mount namespace?

Comment 6 Daniel Walsh 2016-09-21 12:58:27 UTC
Lukas easiest way to fix this is to make tor_var_run_t a mount point, or just allow init_t to mount on all file types since this seems to be what is going to happening with the use of the mount namespace.

Comment 7 Lukas Vrabec 2016-09-21 14:13:09 UTC
Dan, 
Your question, I would say that system is creating mount namespace. I'm not sure if we would like to allow init_t to mount all file types. I incline to make tor_var_run_t as mountpoint.  

Joseph, 
If you would like to fix it ASAP see my blogpost:
http://lvrabec-selinux.rhcloud.com/2016/09/19/creating-local-module-quickly-in-cil/

PS: Miroslav is doing well.

Comment 8 Michael S. 2016-09-25 11:03:25 UTC
So the fix is not sufficient, there is also other mount point to be marked, as seen on https://bugzilla.redhat.com/show_bug.cgi?id=1357395 (A PR have been opened too, https://github.com/fedora-selinux/selinux-policy/pull/156 )

Comment 9 Fedora Update System 2016-11-04 12:11:04 UTC
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 10 Fedora Update System 2016-11-05 03:36:04 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 11 Fedora Update System 2016-11-10 03:29:32 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.