Description of problem: I see this in the log: sep 14 11:33:23 argon Tor[1716]: Bootstrapped 0%: Starting sep 14 11:33:47 argon Tor[1716]: Bootstrapped 80%: Connecting to the Tor network sep 14 11:33:47 argon Tor[1716]: Signaled readiness to systemd sep 14 11:33:47 argon systemd[1]: Started Anonymizing overlay network for TCP. sep 14 11:33:57 argon Tor[1716]: Opening Control listener on /run/tor/control sep 14 11:33:57 argon Tor[1716]: Could not unlink /run/tor/control: Read-only file system Otherwise, tor is working fine, but I get many of these errors in the log. Version-Release number of selected component (if applicable): tor-0.2.8.7-1.fc24.x86_64 selinux-policy-3.13.1-191.14.fc24.noarch selinux-policy-targeted-3.13.1-191.14.fc24.noarch How reproducible: Always Steps to Reproduce: 1. systemctl start tor.service Actual results: Many messages of "Could not unlink /run/tor/control: Read-only file system" Expected results: No error messages Additional info: My torrc: ControlSocket /run/tor/control ControlSocketsGroupWritable 1 SOCKSPort 127.0.0.1:9050 Nickname <redacted> RelayBandwidthRate 6250 KBytes RelayBandwidthBurst 6375 KBytes ContactInfo <redacted> DirPort 9030 ExitPolicy reject *:* ExitPolicy reject6 *:* /run/tor is empty: [root@argon ~]# ls -la /run/tor total 0 drwxr-x---. 2 toranon toranon 40 sep 14 11:31 . drwxr-xr-x. 46 root root 1360 sep 14 12:32 ..
If I remove all the ReadOnlyDirectories and ReadWriteDirectories from the systemd service file, I don't get this error any more and the socket file is created correctly.
I can't reproduce the issue, do you run with selinux to enforcing, or a specific policy (or some specific change) ? What does getenforce return, and the output of "semanage export" ?
Yes, I run with SELinux enabled. # getenforce Enforcing # rpm -q selinux-policy selinux-policy-3.13.1-191.16.fc24.noarch # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -1 antivirus_can_scan_system boolean -m -1 httpd_can_network_connect fcontext -a -f a -t httpd_exec_t '/usr/sbin/fcgiwrap' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/export(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/images(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/js(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/upload(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/feed-icons(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/lock(/.*)?' fcontext -a -f a -t httpd_exec_t '/var/www/ttrss/update.php' fcontext -a -f a -t httpd_exec_t '/var/www/ttrss/update_daemon2.php'
Can you also paste the output of "mount" ? And does placing selinux in permissive fix the issue ?
It seems like setting selinux in permissive mode fix the issue and the socket is created. # mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=2012464k,nr_inodes=503116,mode=755) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) configfs on /sys/kernel/config type configfs (rw,relatime) /dev/mapper/fedora_argon-root on / type xfs (rw,noatime,seclabel,attr2,discard,inode64,noquota) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=26,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14424) mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel) tmpfs on /tmp type tmpfs (rw,seclabel) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel) debugfs on /sys/kernel/debug type debugfs (rw,relatime,seclabel) nfsd on /proc/fs/nfsd type nfsd (rw,relatime) /dev/sda1 on /boot type ext4 (rw,noatime,seclabel,discard,data=ordered) /dev/mapper/fedora_argon-bittorrent on /var/lib/transmission type xfs (rw,noatime,seclabel,attr2,discard,inode64,noquota) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=404712k,mode=700)
I've seen this AVC, so the problem is probably related to the bug #1357395 SELinux is preventing (tor) from mounton access on the directory /run/tor. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (tor) should be allowed mounton access on the tor directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(tor)' --raw | audit2allow -M my-tor # semodule -X 300 -i my-tor.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:tor_var_run_t:s0 Target Objects /run/tor [ dir ] Source (tor) Source Path (tor) Port <Unknown> Host argon Source RPM Packages Target RPM Packages tor-0.2.8.7-1.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name argon Platform Linux argon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 35125 First Seen 2016-08-23 00:46:04 CEST Last Seen 2016-10-02 20:56:14 CEST Local ID 886dcb45-1e8b-410e-afeb-263bba6691ac Raw Audit Messages type=AVC msg=audit(1475434574.57:9040): avc: denied { mounton } for pid=24378 comm="(tor)" path="/run/tor" dev="tmpfs" ino=16985 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0 Hash: (tor),init_t,tor_var_run_t,dir,mounton
Yup, so let's mark it as duplicate. *** This bug has been marked as a duplicate of bug 1357395 ***