Description of problem: When starting tor, it fails with [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied This is not correct, permissions are okay: File: ‘/var/lib/tor/hidden_service/’ Size: 39 Blocks: 0 IO Block: 4096 directory Device: fd01h/64769d Inode: 2149533348 Links: 2 Access: (0700/drwx------) Uid: ( 995/ toranon) Gid: ( 993/ toranon) Context: system_u:object_r:tor_var_lib_t:s0 Access: 2016-09-29 20:27:11.660000000 +0200 Modify: 2016-09-29 03:48:02.273000000 +0200 Change: 2016-09-29 20:27:48.837000000 +0200 Birth: - Widening them instantly throws an error that they're too lose. Version-Release number of selected component (if applicable): tor-0.2.8.7-1.el7.x86_64 How reproducible: Update from tor-0.2.7.6-5.el7.x86_64 to tor-0.2.8.7-1.el7.x86_64, restart, watch it fail. Steps to Reproduce: See above. Actual results: Tor does not start; error is [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied Expected results: Tor starting up w/o problem. Additional info:
No AVC in audit.log, or selinux error ? Can you give the content of torrc ? I can't reproduce the error myself Also, can you verify if the permission of /var/lib/tor, etc seems good enough ?
So I was wrong, i can reproduce the issue. That's likely a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1375369 but for epel7, can you verify the workaround I posted there and tell if that work for you ? (here, it lead to more selinux issue, so I am trying to see if I did forgot something)
[user@tiger ~]$ sudo cat /etc/selinux/config [sudo] password for user: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [user@tiger ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
So the issue is definitly linked to various systemd service change, and quite similar to 1375369 . But the fix there is not sufficient, and I can't find what capabilities is missing on EL7.
In fact, I even suspect I have hit a bug in systemd: # systemctl show tor.service |grep -i cap CapabilityBoundingSet=1216 # cp fix_rh_1375369.conf /etc/systemd/system/tor.service.d/ # systemctl daemon-reload # systemctl show tor.service |grep -i cap CapabilityBoundingSet=0 # cat fix_rh_1375369.conf [Service] CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE On a working system (on F24), the same file result into: # systemctl show tor.service |grep Capability CapabilityBoundingSet=1220
Ok so this look like https://github.com/systemd/systemd/issues/1221 I am gonna open a bug report on systemd package, but so in the mean time, the workaround would be to add CapabilityBoundingSet=CAP_DAC_READ_SEARCH in the file in /usr/lib (or somethinglike this)
So the systemd bug: https://bugzilla.redhat.com/show_bug.cgi?id=1381057 Now, I guess I just need to find a proven packager to get this fixed on fedora and epel for good in tor.
tor-0.2.8.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-881d78edf2
tor-0.2.8.8-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-69f1c1433b
tor-0.2.8.8-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-877b55bdd7
tor-0.2.8.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1fce1e0993
I can confirm that https://kojipkgs.fedoraproject.org//packages/tor/0.2.8.8/1.el7/x86_64/tor-0.2.8.8-1.el7.x86_64.rpm fixes the problem on my machine. Thanks!
tor-0.2.8.8-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
tor-0.2.8.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
tor-0.2.8.8-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
tor-0.2.8.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.