Description of problem: SELinux is preventing (tor) from 'mounton' accesses on the directory /run/tor. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (tor) should be allowed mounton access on the tor directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(tor)' --raw | audit2allow -M my-tor # semodule -X 300 -i my-tor.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:tor_var_run_t:s0 Target Objects /run/tor [ dir ] Source (tor) Source Path (tor) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages tor-0.2.7.6-6.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.10.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-08-20 02:24:37 EDT Last Seen 2016-08-20 02:24:37 EDT Local ID b3ccfaea-42c2-4e27-94c0-1af2246fe44a Raw Audit Messages type=AVC msg=audit(1471674277.852:11619): avc: denied { mounton } for pid=508 comm="(tor)" path="/run/tor" dev="tmpfs" ino=26675 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0 Hash: (tor),init_t,tor_var_run_t,dir,mounton Version-Release number of selected component: selinux-policy-3.13.1-191.10.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.6-300.fc24.x86_64 type: libreport
SELinux is preventing (tor) from mounton access on the directory /run/tor. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (tor) should be allowed mounton access on the tor directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(tor)' --raw | audit2allow -M my-tor # semodule -X 300 -i my-tor.pp
Description of problem: When starting tor.service with systemd, there is an avc denial. Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport
I miss Miroslav Grepl. Is he on vacation? Did he get in an accident? Did he have a death in the family? I hope he's ok. Of course, I also miss TOR too, which is why I miss Miroslav Grepl, to whom this ticket is assigned. Just curious, does Redhat have a succession plan in case something did happen to Miroslav Grepl? Unfortunately, the most I can do from this side of the screen is have my vicar light a candle for both him and tor. Here's wishing both return soon!
Nice passive aggressive behaviour is always appreciated.
Why/What is tor attemppting to mount on /var/tor? Or is this systemd creating a separate mount namespace?
Lukas easiest way to fix this is to make tor_var_run_t a mount point, or just allow init_t to mount on all file types since this seems to be what is going to happening with the use of the mount namespace.
Dan, Your question, I would say that system is creating mount namespace. I'm not sure if we would like to allow init_t to mount all file types. I incline to make tor_var_run_t as mountpoint. Joseph, If you would like to fix it ASAP see my blogpost: http://lvrabec-selinux.rhcloud.com/2016/09/19/creating-local-module-quickly-in-cil/ PS: Miroslav is doing well.
So the fix is not sufficient, there is also other mount point to be marked, as seen on https://bugzilla.redhat.com/show_bug.cgi?id=1357395 (A PR have been opened too, https://github.com/fedora-selinux/selinux-policy/pull/156 )
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.